Two vulnerabilities in popular AI development framework Chainlit could enable attackers to read arbitrary files and database content from servers. If left unpatched, the flaws could allow attackers to leak API keys and other secret tokens to facilitate lateral movement inside the organization’s infrastructure.
“These vulnerabilities can be triggered with no user interaction,” researchers from security firm Zafran said in a report on the Chainlit flaws. “Zafran confirmed the vulnerabilities in real-world, internet-facing applications operated by major enterprises.”
Chainlit is a Python-based package for building AI apps with chatbot interfaces. It handles authentication and offers integrations with various backend systems, databases, and cloud services. With over 5 million downloads in the past year from the Python Index (PyPI), Chainlit is often mentioned in tutorials for building user-facing interfaces for RAG systems and other LLM-powered apps.
The two vulnerabilities, tracked as CVE-2026-22218 and CVE-2026-22219, were fixed in version 2.9.4, released last month. The release notes at the time mentioned a “security vulnerability fix” but no other details until the advisory was released this week.
Arbitrary file reads through custom elements
The first vulnerability (CVE-2026-22218) is located in the framework’s Element class. In Chainlit, elements are pieces of content that can be attached to a message, for example images, PDF files, videos, audio files, and dataframes, among others.
The framework’s Element class also supports a custom type for displaying JavaScript XML (JSX) files inside a message. JSX files extend JavaScript’s syntax to display HTML and are commonly used by libraries such as React.
The Zafran researchers discovered that this custom element gives attackers control over all its properties, because it does not validate the fields. For example, if attackers send a custom element with the path property set to any file on the server, the file will be returned to the user session.
Because of this, the flaw allows attackers to read any arbitrary file from the server, plenty of which could include sensitive information. For example, the /proc/self/environ file is used to store environment variables, and these can contain API keys, credentials, internal file paths, database paths, tokens for AWS and other cloud services, and even CHAINLIT_AUTH_SECRET, a secret that’s used to sign authentication tokens when authentication is enabled.
On top of that, if LangChain is used as the orchestration layer behind Chainlit and caching is enabled, user prompts sent to the LLM and the corresponding responses are saved to a file called .chainlit/.langchain.db. This file stores prompts across users and tenants, so attackers could exfiltrate it periodically to obtain sensitive information. Zafran’s proof-of-concept exploit involved leaking this file.
Cross-site request forgery
The second vulnerability (CVE-2026-22218) uses the same custom element as an attack vector but exploits it in a different way, through the URL property. By setting this field, attackers can force the server to trigger a request to the specified URL to fetch its contents and save it in the database.
Chainlit uses PostgreSQL by default but can also use SQLAlchemy with different backends such as SQLite or cloud storage providers such as AWS S3 or Azure Blobs. By exploiting this vulnerability, attackers can trigger a cross-site request forgery (SSRF) to obtain credentials.
“If Chainlit is deployed on an AWS EC2 instance with IMDSv1 enabled, the SSRF vulnerability can be used to access http://169.254.169.254/latest/meta-data/iam/security-credentials/ and retrieve role endpoints, allowing lateral movement within the cloud account,” the researchers said.
By combining these two flaws, attackers can extract a lot of information and credentials but also the database itself or source code files from the application that might contain custom code.
“Once cloud credentials or IAM tokens are obtained from the server, the attacker is no longer limited to the application,” the researchers wrote in their report. “They gain access to the cloud environment behind it. Storage buckets, secrets managers, LLM, internal data, and other cloud resources may become accessible to an attacker.”
The Zafran report contains signatures for the Snort network intrusion detection system and for the Cloudflare web application firewall, which can be used to block attack attempts until the applications are updated to a patched Chainlit version.