Cybersecurity firm Zafran uncovers two serious vulnerabilities in Chainlit.
The open-source AI framework helps companies build chatbots and apps. Attackers can steal secrets and hijack accounts. Google Cloud and other clouds face big risks.
Chainlit Vulnerabilities: How the Vulnerabilities Work
Zafran names the flaws CVE-2026-22218 and CVE-2026-22219. Attackers need only low permissions. They use simple tricks to gain high access.
- CVE-2026-22218: Allows arbitrary file read through /project/element update Attacker sends custom path → server copies file → attacker gets sensitive data (API keys, credentials, internal paths)
- CVE-2026-22219: Enables server-side request forgery in SQLAlchemy backend Attacker controls URL in element → server fetches it → reaches internal services or cloud metadata
Both bugs use “confused deputy” attacks. Service agents get too many permissions. Attackers steal tokens and access Cloud Storage, BigQuery, and LLM chat history.
Also read about: Malicious VS Code Extensions Steal Data From 1.5 Million Developers
Risks and Fixes
Chainlit has 700,000 monthly downloads. It connects to LangChain, OpenAI, Amazon Bedrock, and LlamaIndex. Flaws hit financial, energy, and university users. No attacks seen in the wild yet.
Google says flaws are “working as intended.” No official fix from Google. Chainlit releases version 2.9.4 on December 24, 2025. It adds sanitization to block the attacks.
Companies must update now. Zafran gives web firewall rules for unpatched systems. Monitor service agents closely. Limit Viewer roles and update permissions.
The flaws show cloud defaults can be dangerous. Security teams must add extra checks. Enterprise clouds stay at risk until patched.
More News To Read: