Critical vulnerabilities in Chainlit expose secrets and open doors to cloud attacks

The cybersecurity community has set off a major alarm following the finding of critical failures in Chainlit, an open-source framework for creating conversational chatbots that has popularized with millions of downloads. Zafran Security researchers have identified two vulnerabilities that, combined, allow from reading sensitive files to making internal requests to network services, opening the door to exfiltration of cloud keys and side movements within an organization. You can read the report of the discoverers on the blog of Zafran Security Here. and consult the official documentation of Chainlit Here..

Chainlit, which according to public statistics accumulates millions of facilities and tens of thousands of weekly downloads, is used to deploy conversational interfaces that often handle sensitive and secret data from cloud services. Because of its massive adoption, any defect in its logic can have a wide scope: from the theft of API credentials to access to the source code or internal databases. The download and use figures are public on sites like PyPI Stats Here., which helps to scale the risk.

The two documented failures receive the CVE-2026-22218 and CVE-2026-22219 in the NVD's public vulnerability catalogue. The first is a vulnerability of arbitrary reading of files in the update flow of the project element (route "/ project / element"), which would allow an authenticated attacker to recover the content of any file accessible by the service. The second is a vulnerability of Server-Side Request Forgery (SSRF) which appears when Chainlit is configured with the SQLAlchemy data layer; in that scenario, an attacker could induce the server to make HTTP requests to internal services or to cloud metadata endpoints. The technical details of each CVE are available in the NVD database: CVE-2026-22218 and CVE-2026-22219.

What makes the combination of both failures particularly dangerous is that arbitrary reading of files can reveal secrets that facilitate subsequent attacks: for example, access to the content of "/ proc / self / environ" usually exposes environment variables with internal keys and routes that an attacker can use to scale privileges or move laterally. If the application uses SQLAlchemy with SQLite, there is also a risk of exfiltering complete database files. For its part, SSRF can be used to consult the metadata services of cloud suppliers (such as those that return temporary credentials), allowing an attacker to obtain valid access to the supplier's resources and to consolidate the intrusion.

Following the responsible notice reported in late November 2025, Chainlit's maintainers published a correction in version 2.9.4, released on December 24, 2025. It is essential that the teams that run Chainlit instances update to this or a later version: the update corrects the validations in the vulnerable flow and reduces the attack surface. The official patch is in the Chainlit repository in GitHub Here..

These incidents are not isolated: as companies incorporate IA frameworks and third-party components, types of classical vulnerabilities are being reintroduced within new and IA-specific infrastructure. Zafran and other researchers warn that frameworks such as Chainlit can drag well-known failures - such as SSRF or arbitrary file reading - to the heart of deployments that handle critical data, with consequences that go beyond a specific application.

In parallel, another research recently reported by the firm BlueRock detected a failure on Microsoft's MarkItDown MCP server - nicknamed MCP fURI - that allows for arbitrary URis to be invoked from the conversion tool, which also opens up routes for SSRF, privilege climbing and information leakage when the server runs in AWS instances with IMDSv1 enabled. BlueRock analysis indicates that a significant proportion of MCP servers analyzed could be susceptible to similar attacks; the full report is available on BlueRock's blog Here.. To better understand the risk of SSRF and its implications, the security community uses resources like OWASP on SSRF and the AWS documentation on how to protect the metadata service with IMDSv2 Here..

In the face of these findings, the practical measures to be considered by security officials range from immediate action to structural changes in unit management. As a matter of urgency, updating any Chainlit installation to the bug-correcting version is the priority. It is then appropriate to review network configurations and permissions: limit service access to internal network resources and cloud metadata, run processes with the minimum privileges required, and store credentials using managed mechanisms or automatic rotation to reduce impact if filtered.

In the medium term, teams should incorporate security audits specific to IA components, include SSRF tests and file reading in their pentesting pipelines, and apply hardening principles that reduce the exposure of metadata and internal services. In cloud environments, the adoption of IMDSv2, the blocking of private IP addresses from unreliable processes and the use of white lists can mitigate many exfiltration vectors. AWS offers guides to apply IMDSv2 and to tighten access to metadata, which are a good starting point Here..

The lesson is clear: the rapid integration of IA tools and frameworks brings undoubted benefits, but it also brings classic risks to new layers of the technological stack. Auditing dependencies, demanding patches and designing environments with well-defined safety limits are essential steps to prevent an apparently localized vulnerability from compromising entire cloud accounts or sensitive organizational data.

If you manage Chainlit-based applications, update the corrected version as soon as possible and check logs and secrets that may have been compromised before the patch. For more technical context and specific mitigation, check Zafran's notice Here., NVD records on EQO CVE-2026-22218 and CVE-2026-22219 and the correction published by Chainlit in GitHub Here..