Two high severity vulnerabilities in Chainlit, a popular open source framework for building conversational AI applications, were reported in a technical analysis by Zafran Labs. The flaws can let attackers read any file on a Chainlit server and force outbound HTTP requests. Chainlit averages about 700,000 monthly downloads on PyPI.
KEY FACTS
- Vulnerabilities CVE-2026-22218 and CVE-2026-22219
- Impact arbitrary file read and server side request forgery
- Affected internet facing Chainlit deployments used in enterprises and academia
- Fix patched in Chainlit 2.9.4 released December 24, 2025
CVE-2026-22218 is exploitable via the /project/element endpoint by submitting a custom element with a controlled path field. The framework copies the file at that path into the attacker session without validation, allowing read access to any file reachable by the server.
CVE-2026-22219 affects deployments using the SQLAlchemy data layer. A crafted element can set a url field so the server issues an outbound GET request and stores the response. The stored data can be retrieved via element download endpoints, exposing internal services and addresses.
The two flaws can be combined into a single attack chain that enables full system compromise and lateral movement in cloud environments. The flaws expose secrets such as API keys, cloud credentials, source code, configuration files and authentication data when present on the server.
Notification to Chainlit maintainers occurred on November 23, 2025, with acknowledgment on December 9, 2025. The vulnerabilities were fixed on December 24, 2025 with the Chainlit 2.9.4 release. Impacted organizations are recommended to upgrade to 2.9.4 or later; the latest is 2.9.6.
WHY IT MATTERS
Internet facing AI systems built with Chainlit can expose sensitive files and internal services if not patched. Operators should update affected deployments and review exposed endpoints and credentials.