AI framework flaws put enterprise clouds at risk of takeover

AI framework flaws put enterprise clouds at risk of takeover

Briefly

"Two "easy-to-exploit" vulnerabilities in the popular open-source AI framework Chainlit put major enterprises' cloud environments at risk of leaking data or even full takeover, according to cyber-threat exposure startup Zafran. Chainlit is a Python package that organizations can use to build production-ready AI chatbots and applications. Corporations can either use Chainlit's built-in UI and backend, or create their own frontend on top of Chainlit's backend. It also integrates with other tools and platforms including LangChain, OpenAI, Bedrock, and LlamaIndex, and supports authentication and cloud deployment options."

"The two vulnerabilities are CVE-2026-22218, which allows arbitrary file read, and CVE-2026-22219, which can lead to server-side request forgery (SSRF) attacks on the servers hosting AI applications. While Zafran didn't see any indications of in-the-wild exploitation, "the internet-facing applications we observed belonged to the financial services and energy sectors, and universities are also using this framework," CTO Ben Seri told The Register. Zafran disclosed the bugs to the project's maintainers in November, and a month later, Chainlit released a patched version (2.9.4) that fixes the flaws."

"The arbitrary file read flaw, CVE-2026-22218, has to do with how the framework handles elements - these are pieces of content, such as a file or image, that can be attached to a message. It can be triggered by sending a malicious update element request with a tampered custom element, and abused to exfiltrate environment variables by reading /proc/self/environ."