Critical Chainlit AI Vulnerabilities Allow Hackers to Take Over Cloud Environments

Zafran Labs has identified two critical vulnerabilities in Chainlit, a popular open-source AI framework deployed across enterprise environments, that allow unauthenticated attackers to leak sensitive cloud credentials and compromise infrastructure.

The discovery marks the launch of Project DarkSide, an ongoing initiative focused on uncovering security weaknesses in AI application building blocks.

With approximately 700,000 monthly downloads on PyPI and active deployments in large enterprises and academic institutions, Chainlit’s vulnerabilities present a significant risk to organizations that are rapidly adopting AI infrastructure.

The flaws CVE-2026-22218 and CVE-2026-22219 can be exploited with no user interaction, allowing attackers to exfiltrate environment variables, database contents, and source code before moving laterally into cloud environments.

CVE ID	Type	CVSS Score	Attack Vector	Impact
CVE-2026-22218	Arbitrary File Read	9.1 Critical	Network/Unauthenticated	Leak API keys, credentials, source code, and cross-tenant data
CVE-2026-22219	Server-Side Request Forgery (SSRF)	9.1 Critical	Network/Unauthenticated	Access internal services, retrieve AWS IMDSv1 credentials

Technical Attack Chains

CVE-2026-22218 exploits improper validation in the /project/element endpoint. Attackers craft malicious HTTP requests with controlled properties in custom elements.

By setting the path property to arbitrary file locations (e.g., /proc/self/environ), the vulnerability enables reading any file accessible to the Chainlit process.

In multi-tenant deployments using LangChain caching, attackers can leak cross-tenant prompts and responses stored in .chainlit/.langchain.db.

CVE-2026-22219 targets the SQLAlchemy data layer through the same element endpoint. By specifying a malicious url Property, attackers force the server to perform HTTP requests to internal targets.

On AWS EC2 instances with IMDSv1 enabled, this enables the retrieval of temporary security credentials via the metadata service at 169.254.169.254.

Once environment variables are exfiltrated, attackers gain access to cloud credentials (AWS_SECRET_KEY), database URLs, and authentication secrets.

In cloud-native deployments, these credentials provide direct access to storage buckets, secrets managers, LLM services, and internal data repositories.

The combination of arbitrary file read plus SSRF enables complete lateral movement within cloud environments.

Additionally, leaked source code exposes proprietary callbacks and hooks, enabling further vulnerability research and identification of additional attack paths.

Chainlit released a patched version 2.9.4 addressing both vulnerabilities. Organizations should prioritize immediate patching of affected deployments.

Until patches are deployed, Zafran provides detection signatures:

• Snort Rule: Monitors PUT requests to /project/element endpoint
• Cloudflare WAF Rule: Blocks malicious element submissions
• Zafran Components Module: Identifies Chainlit instances running versions below 2.9.4

The discovery reinforces that rapid AI adoption without a security-first architecture creates substantial risk.

Traditional vulnerability classes, such as access control flaws, file handling, and network interaction issues, are being embedded directly into AI infrastructure through third-party frameworks.

As organizations build multi-layer AI systems combining UI frameworks, orchestration platforms, and LLM services, the attack surface expands significantly.

Conduct an immediate inventory of Chainlit deployments, apply patches to version 2.9.4 or later, and implement strict segmentation of cloud credentials and environment variables across AI infrastructure.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post Critical Chainlit AI Vulnerabilities Allow Hackers to Take Over Cloud Environments appeared first on Cyber Security News.