Two critical vulnerabilities discovered in the Chainlit AI framework could allow attackers to steal sensitive data including cloud credentials, API keys, and user conversations from enterprise deployments. The flaws, tracked as CVE-2026-22218 and CVE-2026-22219, affect all versions prior to 2.9.4 and impact a framework that sees approximately 700,000 downloads per month.

Chainlit is an open-source Python framework designed for building conversational AI applications and chatbots. Security researchers at Zafran discovered the vulnerabilities during a survey of publicly accessible Chainlit servers, which included deployments linked to enterprises and academic institutions. According to the researchers, both flaws are considered easy to exploit and can be combined to leak sensitive data, escalate privileges, and move laterally within affected systems.

The first vulnerability, CVE-2026-22218, is an arbitrary file read flaw that stems from how the framework handles elements such as files and images attached to messages. Authenticated users can manipulate custom element handling to copy files from anywhere the server has access to into their own session. Attackers can exploit this to exfiltrate environment variables by reading /proc/self/environ, potentially exposing cloud credentials like AWS_SECRET_KEY and authentication secrets used to sign tokens.

The second flaw, CVE-2026-22219, is a server-side request forgery vulnerability found in the SQLAlchemy data layer. It can be triggered using the same technique as the file read bug through a tampered custom element. This allows attackers to instruct the server to fetch data from arbitrary URLs, enabling them to probe internal REST APIs, access cloud metadata services, and retrieve sensitive information from internal network resources.

Chainlit released a patched version 2.9.4 on December 24, 2025. Organizations using the framework are strongly advised to update immediately and audit their deployments for signs of compromise. Security teams should also review environment variables for exposed credentials and rotate any potentially compromised API keys or authentication secrets.