CVE-2026-22218 & CVE-2026-22219: Chainlit Critical Flaws Enable Silent File Theft and Server-Side Request Forgery

Aegiron 9 mins0

Chainlit Critical Vulnerabilities Disclosure

Disclosure date: January 20, 2026
Product: Chainlit – Open-source Python framework for building AI/chatbot interfaces
Affected deployments: Internet-exposed or internal Chainlit applications running versions prior to 2.9.4
Risk level: Critical (combined impact)

Product Overview

Chainlit is commonly used to build interactive AI applications and chat interfaces. It exposes backend APIs that manage conversations, uploaded elements (files, images, data objects), and application state. These APIs are often authenticated but are typically accessible to normal users, developers, or API clients.

The disclosed issues affect how Chainlit processes custom elements and remote file references, allowing attackers to abuse trusted backend behavior.

Vulnerability Summary

Two independent but related vulnerabilities were identified in Chainlit’s element handling logic:

  1. Arbitrary File Read – allows attackers to read sensitive files from the server filesystem.
  2. Server-Side Request Forgery (SSRF) – allows attackers to force the server to make internal or cloud-metadata HTTP requests.

Both vulnerabilities:

  • Require no user interaction
  • Can be exploited by a low-privileged authenticated user
  • Can lead to credential leakage, configuration exposure, and cloud compromise

CVE Overview Table

CVE NameCVE IDCVSS ScoreSeverityAttack VectorPrivileges RequiredUser InteractionExploit Availability
Chainlit Arbitrary File ReadCVE-2026-222187.1HighNetworkLowNoneNo public weaponized PoC
Chainlit SSRF (SQLAlchemy Data Layer)CVE-2026-222198.3HighNetworkLowNoneNo public weaponized PoC

Even without public exploit code, both issues are easy to exploit by anyone familiar with API testing.

CVE-2026-22218 – Arbitrary File Read

What the vulnerability is

Chainlit allows users to create or update custom elements. During this process, a client supplies a file path that the server uses internally.

Due to missing validation:

  • Absolute paths and unintended filesystem locations are accepted
  • The server reads the file and stores it under an internal key
  • The file can then be retrieved using a follow-up API call

This effectively turns the application into a file-reading service for attackers.

How exploitation works

  1. Attacker authenticates to the application (normal user access is enough)
  2. Sends a request to the element creation or update API
  3. Supplies a malicious file path such as:
    • /etc/passwd
    • /app/.env
    • /proc/self/environ
  4. The server reads the file and assigns it a generated element key
  5. Attacker downloads the file using /project/file/<element_key>

No brute force, no race condition, no user clicks required.

What data can be exposed

  • Environment variables (API keys, tokens)
  • Database credentials
  • OAuth secrets
  • Internal application configuration
  • Stored conversation history
  • Source code files
  • SSH keys (if readable by the process)

MITRE Mapping

  • CWE-22: Improper Limitation of a Pathname to a Restricted Directory
  • ATT&CK:
    • Initial Access: Exploit Public-Facing Application
    • Discovery: File and Directory Discovery
    • Exfiltration: Data from Local System

Detection & Hunting

Log sources to monitor

  • Application logs (Chainlit backend)
  • API gateway / reverse proxy logs
  • File access logs
  • Object storage logs (if elements are persisted)

Indicators of exploitation

  • Requests to /project/element containing:
    • Absolute paths (/etc/, /proc/, /var/)
    • Environment file names (.env, config.yaml)
  • Immediate follow-up requests to /project/file/*
  • Element creation activity outside normal usage patterns

Example detection logic

IF request_path == "/project/element"
AND request_body CONTAINS ("path":"/")
THEN alert "Possible arbitrary file read attempt"

CVE-2026-22219 – Server-Side Request Forgery (SSRF)

What the vulnerability is

When Chainlit is configured with a SQLAlchemy-based data layer, element creation allows a client to specify a remote URL.

The backend:

  • Automatically fetches the URL
  • Does not restrict internal or private addresses
  • Stores the response as element content

This allows attackers to make the server perform internal HTTP requests.

How exploitation works

  1. Attacker authenticates normally
  2. Submits an element creation request with a crafted URL
  3. Example targets:
    • Cloud metadata: http://169.254.169.254/
    • Local services: http://localhost:8000/admin
    • Internal APIs: http://10.x.x.x/internal
  4. Chainlit fetches the response
  5. Attacker retrieves the fetched data

Why this is dangerous

SSRF is often the first step in cloud compromise.

If metadata services are reachable:

  • Temporary cloud credentials can be stolen
  • Attackers can access cloud APIs
  • Full account takeover becomes possible

MITRE Mapping

  • CWE-918: Server-Side Request Forgery
  • ATT&CK:
    • Initial Access: Exploit Public-Facing Application
    • Credential Access: Cloud Instance Metadata API
    • Lateral Movement / Exfiltration

Detection & Hunting (SSRF)

Log sources to monitor

  • Application outbound HTTP logs
  • Network firewall / proxy logs
  • Cloud flow logs
  • Reverse proxy access logs

High-risk indicators

  • Outbound traffic to:
    • 169.254.169.254
    • localhost
    • 127.0.0.1
    • RFC1918 private IP ranges
  • Element creation requests containing URLs
  • Backend making HTTP requests it normally should not

Example detection rule (network)

IF destination_ip == 169.254.169.254
AND process == application_server
THEN alert "Possible SSRF metadata access"

Proof-of-Concept (Educational)

  • No widely published exploit scripts at the time of disclosure
  • Exploitation requires only standard API calls
  • Any API testing tool (curl, Postman) is sufficient
  • Attack complexity is low

Mitigation & Remediation

Immediate actions

  1. Upgrade Chainlit immediately
  2. Review logs for historical exploitation
  3. Rotate all credentials stored in environment variables
  4. Restrict outbound traffic from application servers
  5. Apply WAF rules for /project/element

Long-term hardening

  • Enforce strict allow-lists for file paths
  • Block internal IP ranges in URL fetch logic
  • Require IMDSv2 (cloud metadata protection)
  • Apply least-privilege permissions to runtime accounts
  • Log and alert on element creation abuse

Official Patch / Upgrade Link

Upgrade to Chainlit version 2.9.4 or later

🔗 https://github.com/Chainlit/chainlit/releases/tag/2.9.4

Final Takeaway

These vulnerabilities are silent, low-effort, and high-impact.
Any unpatched Chainlit deployment should be considered at risk of data exposure, especially in cloud environments.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.