The two bugs, an arbitrary file read and an SSRF bug, can be exploited without user interaction to leak credentials, databases, and other data.
January 20, 2026 By Ionut Arghire
Two high-severity vulnerabilities in Chainlit expose major enterprises to attacks leading to sensitive information disclosure, cybersecurity firm Zafran reports.
An open source Python package for building conversational AI applications, Chainlit has over 700,000 monthly downloads on PyPI.
The framework provides integration with LangChain, OpenAI, Bedrock, Llama, and more, and supports features such as authentication, cloud deployments, and telemetry.
According to Zafran, there are multiple Chainlit servers accessible from the internet, including instances pertaining to large enterprises and academic institutions, and they are susceptible to attacks leaking the contents of any file on the server.
This is possible because Chainlit versions prior to 2.9.4 are affected by CVE-2026-22218 and CVE-2026-22219, two high-severity bugs that allow threat actors to read arbitrary files and make requests to internal network services or cloud metadata endpoints.