Two security vulnerabilities disclosed in the Chainlit framework have drawn attention to the growing risks posed by traditional web flaws in AI application environments.
The issues, discovered by Zafran Research and tracked as CVE-2026-22218 and CVE-2026-22219, show how weaknesses in backend infrastructure can expose sensitive data and cloud resources, even when the underlying AI models remain unaffected.
Chainlit is widely used to build conversational AI applications and integrates with popular orchestration and model platforms. While discussions around AI security often focus on prompt injection or model misuse, the newly published research points instead to familiar server-side problems that can have an outsized impact in AI-driven systems.
File Access and Server Requests Create Exposure
The first vulnerability allows authenticated users to read arbitrary files from a Chainlit server. By manipulating how custom elements are handled, an attacker can copy files from anywhere the server has access to into their own session. These files can then be retrieved through standard API calls.
The second flaw enables server-side request forgery (SSRF) in deployments that rely on a SQLAlchemy data layer. In this scenario, an attacker can instruct the server to fetch data from arbitrary URLs and store the response. While the attacker does not receive the response directly, it can later be accessed through the application’s element retrieval functionality.
Both flaws stem from insufficient validation of user-controlled properties and affect the backend services supporting the AI application rather than the AI logic itself.
Read more on AI infrastructure security: AI Supercharges Attacks in Cybercrime’s New ‘Fifth Wave’
Impact on AI Deployments and Cloud Environments
According to Zafran, these vulnerabilities can be combined to escalate an attack well beyond the application layer. Once arbitrary file access or SSRF is achieved, attackers may gain access to environment variables, local databases or cached data containing user prompts and responses.
In cloud-connected deployments, the risks increase further. Credentials stored in environment variables may allow access to storage services, databases or other internal resources. In some configurations, attackers could also probe internal APIs or cloud metadata services.
The research highlights several potential consequences:
-
Exposure of API keys, authentication secrets and internal configuration data
-
Leakage of user conversations, prompts and application metadata
-
Access to cloud resources and possible lateral movement within an account
Zafran said it discovered the vulnerabilities during a survey of publicly accessible Chainlit servers, including deployments linked to enterprises and academic institutions. Chainlit reported around 700,000 downloads per month and more than five million downloads over the past year.
Chainlit released a patched version, 2.9.4, on 24 December, 2025. Users are advised to update affected systems as soon as possible. Zafran also published temporary web application firewall signatures to reduce exposure until patches are applied.
