released<\/a> a patched version (2.9.4) that fixes the flaws. So if you use Chainlit, make sure to update the framework to the fixed release.\u00a0<\/p>\nArbitrary file read<\/p>\n
The arbitrary file read flaw, CVE-2026-22218, has to do with how the framework handles elements \u2013 these are pieces of content, such as a file or image, that can be attached to a message. It can be triggered by sending a malicious update element request with a tampered custom element, and abused to exfiltrate environment variables by reading \/proc\/self\/environ.\u00a0<\/p>\n
“These variables often contain highly sensitive values that the system and enterprise depend on, including API keys, credentials, internal file paths, internal IPs, and ports,” according to Zafran’s analysis, shared with The Register ahead of publication. “This is mostly dangerous in AI systems where the servers have access to internal data of the company to provide a tailored chatbot experience to their users.”\u00a0<\/p>\n
In environments where authentication is enabled, attackers can steal secrets used to sign authentication tokens (CHAINLIT_AUTH_SECRET). These secrets, when combined with user identifiers \u2013 leaked from databases or inferred from organization emails \u2013 can be abused to forge authentication tokens and fully take over users’ Chainlit accounts.<\/p>\n
Other environment variables up for grabs may include cloud credentials \u2013 such as AWS_SECRET_KEY \u2013 that Chainlit requires for cloud storage, along with sensitive API keys or the addresses and names of internal services.<\/p>\n
Plus, an attacker can probe these addresses using the second SSRF vulnerability to access sensitive data from internal REST APIs.\u00a0<\/p>\n
Server-side request forgery<\/p>\n
Zafran found the SSRF vulnerability, CVE-2026-22219, in the SQLAlchemy data layer. This one is triggered in the same way as the arbitrary file read \u2013 via a tampered custom element. Then, the attacker can retrieve the copied file by extracting the element’s “chainlit key” property from the metadata, download the file to an attacker-controlled computer, and query the file to access conversation history.<\/p>\n
According to Seri, the vulnerabilities are “easy to exploit,” and can be combined in multiple ways to leak sensitive data, escalate privileges, and move laterally within the system.<\/p>\n
“An attacker only needs to send a simple command and change one value to point to the file or URL they want to access,” he said.\u00a0<\/p>\n
“Regarding how the vulnerabilities can be combined, SSRF typically requires knowledge of the server environment,” Seri added. “By leveraging the read-file vulnerability to leak that information, such as environment details or internal addresses, it becomes much easier to successfully carry out the SSRF attack.”<\/p>\n
Companies increasingly use AI frameworks to build their own AI chatbots and apps, and Seri acknowledges that organizations are “working under very tight timelines to deliver fully functioning AI systems that integrate with highly sensitive data.”<\/p>\n
Using third-party frameworks and open-source code allows development teams to move fast \u2013 and it introduces new risks to the environment.<\/p>\n
“The risk is not the use of third-party code by itself, but the combination of rapid integration, limited understanding of the added code, and reliance on external maintainers for security and code quality,” Seri said. “As a result, organizations end up deploying backend servers that communicate with clients, cloud resources, and LLMs, creating multiple entry points where vulnerabilities can emerge and put the system at risk.” \u00ae<\/p>\n","protected":false},"excerpt":{"rendered":"Two “easy-to-exploit” vulnerabilities in the popular open-source AI framework Chainlit put major enterprises’ cloud environments at risk of…\n","protected":false},"author":2,"featured_media":390317,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20],"tags":[554,733,4308,86,56,54,55],"class_list":{"0":"post-390316","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-artificial-intelligence","8":"tag-ai","9":"tag-artificial-intelligence","10":"tag-artificialintelligence","11":"tag-technology","12":"tag-uk","13":"tag-united-kingdom","14":"tag-unitedkingdom"},"_links":{"self":[{"href":"https:\/\/www.newsbeep.com\/uk\/wp-json\/wp\/v2\/posts\/390316","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.newsbeep.com\/uk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.newsbeep.com\/uk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.newsbeep.com\/uk\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.newsbeep.com\/uk\/wp-json\/wp\/v2\/comments?post=390316"}],"version-history":[{"count":0,"href":"https:\/\/www.newsbeep.com\/uk\/wp-json\/wp\/v2\/posts\/390316\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.newsbeep.com\/uk\/wp-json\/wp\/v2\/media\/390317"}],"wp:attachment":[{"href":"https:\/\/www.newsbeep.com\/uk\/wp-json\/wp\/v2\/media?parent=390316"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.newsbeep.com\/uk\/wp-json\/wp\/v2\/categories?post=390316"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.newsbeep.com\/uk\/wp-json\/wp\/v2\/tags?post=390316"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}