Critical Vulnerabilities in Chainlit Framework Expose AI Systems to Data Theft and Server Compromise Researchers at Zafran Labs have uncovered two high-severity vulnerabilities in Chainlit, a widely used open-source framework for building conversational AI applications. The flaws, dubbed ChainLeak, enable attackers to read arbitrary files on affected servers and extract sensitive data without requiring user interaction. The vulnerabilities CVE-2026-22218 (arbitrary file read) and CVE-2026-22219 (server-side request forgery, or SSRF) pose significant risks to internet-facing AI systems deployed across enterprises, academic institutions, and production environments. Chainlit, which averages 700,000 monthly downloads on PyPI and over 5 million annual downloads, provides a web-based UI, authentication tools, and cloud deployment support, making it a common choice for AI-driven applications. CVE-2026-22218 allows attackers to exploit the `/project/element` endpoint by submitting a malicious element with a manipulated `path` field, forcing the server to copy and expose any accessible file including API keys, cloud credentials, configuration files, and authentication secrets. CVE-2026-22219, affecting deployments using SQLAlchemy, enables SSRF attacks by tricking the server into making unauthorized outbound requests to internal services. Attackers can then retrieve the fetched data, potentially accessing restricted internal IPs and services. Zafran Labs demonstrated that combining both flaws could lead to full-system compromise and lateral movement in cloud environments. The vulnerabilities were reported to Chainlit maintainers on November 23, 2025, with an acknowledgment received on December 9, 2025. A patch was released on December 24, 2025, in Chainlit version 2.9.4, with subsequent updates (including 2.9.6) addressing the issues. Organizations using affected versions are advised to upgrade immediately.