A security vulnerability has been discovered in the popular open source artificial intelligence (AI) framework Chainlit. This vulnerability could allow an attacker to steal sensitive data and potentially allow lateral movement within a susceptible organization.
Zafran Security said the high-severity flaws, collectively referred to as ChainLeak, could be exploited to leak API keys in cloud environments to steal sensitive files or conduct server-side request forgery (SSRF) attacks against servers hosting AI applications.
Chainlit is a framework for creating conversational chatbots. According to statistics shared by the Python Software Foundation, this package has been downloaded more than 220,000 times in the past week. To date, it has recorded a total of 7.3 million downloads.
The details of the two vulnerabilities are as follows:
CVE-2026-22218 (CVSS score: 7.1) – Arbitrary file read vulnerability in the “/project/element” update flow. This allows an authenticated attacker to enter his or her session by accessing the contents of any file readable by the service due to a lack of validation of the user controller field. CVE-2026-22219 (CVSS Score: 8.3) – SSRF vulnerability in SQLAlchemy when configured in the data layer backend, the “/project/element” update flow allows attackers to make arbitrary HTTP requests from a Chainlit server to an internal network service or cloud metadata endpoint and store the retrieved responses.
“Two vulnerabilities in Chainlit can be combined in various ways to leak sensitive data, escalate privileges, and allow lateral movement within the system,” said Zafran researchers Gal Zaban and Ido Shani. “Once an attacker gains arbitrary file read access on a server, the security of an AI application begins to crumble rapidly. What initially appears to be a contained flaw now provides direct access to the system’s most sensitive secrets and internal state.”
For example, an attacker armed with CVE-2026-22218 could read “/proc/self/environ” and collect valuable information such as API keys, credentials, and internal file paths, which could be used to penetrate deep into a compromised network or access application source code. Alternatively, if your setup uses SQLAlchemy and SQLite backends as data layers, it can be used to leak database files.
After responsible disclosure on November 23, 2025, both vulnerabilities were addressed by Chainlit in version 2.9.4 released on December 24, 2025.
“As organizations rapidly deploy AI frameworks and third-party components, long-standing software vulnerabilities are being embedded directly into the AI infrastructure,” said Zafran. “These frameworks introduce new attack surfaces that are not well understood, and well-known vulnerability classes can directly compromise AI-powered systems.”
Microsoft MarkItDown MCP server defect
This disclosure comes after BlueRock disclosed a vulnerability in Microsoft’s MarkItDown Model Context Protocol (MCP) server called “MCP fURI.” This vulnerability allows arbitrary calls to URI resources, exposing organizations to privilege escalation, SSRF, and data leakage attacks. This drawback affects servers running on Amazon Web Services (AWS) EC2 instances using IDMSv1.
“This vulnerability allows an attacker to run the Markitdown MCP tool convert_to_markdown to call arbitrary Uniform Resource Identifiers (URIs),” BlueRock said. “Because URIs have no boundaries, a user, agent, or attacker invoking the tool can access any HTTP or file resource.”
“If you provide a URI to your Markitdown MCP server, you can use it to query the server’s instance metadata. If a role is associated, the user can retrieve credentials to the instance, giving them access to their AWS account, including the access key and secret key.”
Agentic AI security firm said it analyzed more than 7,000 MCP servers and found that more than 36.7% of them may be exposed to similar SSRF vulnerabilities. To reduce the risk posed by this issue, we recommend using IMDSv2 to protect against SSRF attacks, implement private IP blocking, restrict access to metadata services, and create whitelists to prevent data leakage.
Source link
