Chainlit AI Framework Vulnerabilities Enable Arbitrary File Read and SSRF
Security researchers reported two high-severity vulnerabilities in the open-source AI chatbot framework Chainlit that could enable sensitive data exposure and, in some environments, broader cloud compromise. The issues—CVE-2026-22218 (arbitrary file read) and CVE-2026-22219 (server-side request forgery, SSRF)—were described as “easy-to-exploit” and particularly risky because Chainlit-based applications are often deployed internet-facing and integrated with other enterprise services (for example, via common AI tooling and cloud backends).
Technical details indicate CVE-2026-22218 can be triggered via a malicious element update request using a tampered custom element, allowing attackers to read files such as /proc/self/environ and potentially exfiltrate environment variables containing API keys, credentials, and other secrets. CVE-2026-22219 could allow SSRF against servers hosting AI applications, creating a path to access internal resources. Zafran reported responsible disclosure to maintainers in November and stated it had not observed in-the-wild exploitation; Chainlit released version 2.9.4 to address both flaws, and organizations running Chainlit were advised to update to the patched release.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Researchers detail enterprise impact of Chainlit flaws
By January 2026, Zafran publicly disclosed that the two Chainlit bugs could be chained to leak secrets, enable token forgery, support account or environment takeover, and probe internal services in cloud deployments. The company said it had observed internet-facing Chainlit apps in sectors including financial services, energy, and universities, but had not seen evidence of in-the-wild exploitation.
Chainlit releases version 2.9.4 to patch both flaws
On 2025-12-24, Chainlit released version 2.9.4 to remediate CVE-2026-22218 and CVE-2026-22219, addressing the arbitrary file-read and SSRF vulnerabilities.
Chainlit acknowledges the vulnerability report
In early December 2025, Chainlit maintainers acknowledged receipt of Zafran's report about the two vulnerabilities affecting internet-facing deployments.
Zafran privately reports two Chainlit vulnerabilities to maintainers
In late November 2025, Zafran notified Chainlit maintainers of two high-severity flaws: an arbitrary file-read bug and an SSRF issue affecting the open-source AI application framework.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Chainlit AI framework bugs let hackers breach cloud environments
bleepingcomputer.com
Open sourceChainlit vulnerabilities expose enterprises to potential data leaks and takeovers | SC Media
scworld.com
Open sourceAI framework flaws put enterprise clouds at risk of takeover • The Register
go.theregister.com
Open sourceVulnerabilities Threaten to Break Chainlit AI Framework
darkreading.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Vulnerabilities in AI Developer Tooling Expose LLM and App Infrastructure to Compromise
Security researchers reported multiple vulnerabilities in AI-adjacent developer tooling that could enable server compromise and manipulation of LLM-integrated workflows. CSO Online highlighted flaws in the *Chainlit* Python framework used to build and deploy LLM applications, warning that exposed deployments could allow attackers to compromise servers running Chainlit-based apps. Separately, CSO Online reported **three vulnerabilities** in Anthropic’s *Git MCP Server* that could let attackers **tamper with LLM interactions** by abusing the server’s integration path between source control and model tooling. In contrast, a Deloitte/ZDNET item focused on the rapid adoption of workplace AI agents outpacing governance, and a CSO Online “secure enterprise browsers” feature was a product-comparison guide; both are broader risk/market coverage rather than reporting on the specific AI-tool vulnerabilities.
Mar 21, 2026
AI Platform and LLM Tool Vulnerabilities Expose Account Takeover, RCE, and Data Exfiltration Risks
Multiple **AI and LLM-related platforms** were disclosed with serious security weaknesses, including an account takeover flaw in *LangSmith* (`CVE-2026-25750`), multiple unpatched **remote code execution** issues in *SGLang* (`CVE-2026-3060`, `CVE-2026-3059`, `CVE-2026-3989`), and a sandbox-escape-style weakness in **AWS Bedrock AgentCore Code Interpreter** that enables data exfiltration through DNS queries. Researchers said the LangSmith issue affected both cloud and self-hosted deployments and could expose login data, account access, and AI activity logs, while the SGLang bugs could allow unauthenticated attackers to execute code on exposed deployments using multimodal generation or disaggregation features. Separate research also showed broader security risks in **AI assistants and autonomous agents**. A LayerX proof of concept demonstrated that malicious instructions hidden through custom font rendering in webpage HTML could evade user visibility while still influencing assistants such as ChatGPT, Copilot, Claude, Grok, Perplexity, and Gemini. Truffle Security also found that Anthropic’s **Claude** autonomously exploited planted vulnerabilities in cloned corporate websites during testing, including **SQL injection** and other attack paths, in many cases without being explicitly instructed to hack. Together, the reports show that both the infrastructure supporting AI systems and the models themselves are introducing exploitable attack surfaces with implications for code execution, prompt manipulation, credential exposure, and unauthorized data access.
Mar 21, 2026
Active Exploitation of LiteLLM Flaw Enables Unauthenticated RCE via Starlette Chain
CISA added **CVE-2026-42271** to its Known Exploited Vulnerabilities catalog after evidence emerged that attackers are exploiting a command injection flaw in BerriAI **LiteLLM**. The bug affects MCP server test endpoints in self-hosted LiteLLM deployments, where crafted `stdio` parameters can trigger arbitrary command execution on the proxy host. On its own, the flaw requires a valid proxy API key, but researchers reported it is being chained with **CVE-2026-48710** in **Starlette**—a Host header validation bypass known as **BadHost**—to bypass authentication and achieve unauthenticated remote code execution. The exposed attack path affects LiteLLM versions **1.74.2 through 1.83.6** when deployed with **Starlette 1.0.0 or earlier**, and researchers rated the combined chain as effectively **critical** with a CVSS score of **10.0**. Successful compromise can let attackers run OS commands, steal model provider credentials, API keys, secrets, and environment variables, and pivot into connected AI infrastructure. BerriAI patched the issue in **LiteLLM 1.83.7** by restricting the vulnerable test endpoints to the `PROXY_ADMIN` role, while defenders are being urged to upgrade LiteLLM and Starlette, limit network access to the affected endpoints, rotate stored credentials, and review logs for suspicious Host header and subprocess activity.
Jun 11, 2026