Critical security vulnerabilities have been uncovered within the popular open-source artificial intelligence (AI) framework Chainlit, potentially exposing organizations to significant data breaches and lateral movement attacks. These newly identified flaws, collectively named ChainLeak, could allow attackers to steal sensitive cloud API keys and confidential files, or execute server-side request forgery (SSRF) attacks against AI application servers.
The Chainlit framework, widely used for developing conversational AI chatbots, has seen considerable adoption, with over 7.3 million downloads to date. The Python Software Foundation reported more than 220,000 downloads of the package in the past week alone, highlighting its extensive use in the AI ecosystem.
ChainLeak Vulnerabilities Compromise AI Security
Zafran Security researchers Gal Zaban and Ido Shani detailed two high-severity flaws within Chainlit. The first, designated CVE-2026-22218 with a CVSS score of 7.1, is an arbitrary file read vulnerability. This flaw exists in the “/project/element” update flow and allows an authenticated attacker to access any file readable by the service by exploiting a lack of input validation. This can lead to the theft of sensitive information directly from the server’s file system.
The second vulnerability, CVE-2026-22219, carries a more severe CVSS score of 8.3. It is an SSRF vulnerability also present in the “/project/element” update flow. When Chainlit is configured with the SQLAlchemy data layer backend, this flaw permits an attacker to initiate arbitrary HTTP requests to internal network services or cloud metadata endpoints. The server then stores the retrieved responses, offering attackers a pathway to access internal resources or sensitive cloud credentials.
“The two Chainlit vulnerabilities can be combined in multiple ways to leak sensitive data, escalate privileges, and move laterally within the system,” stated Zafran researchers. “Once an attacker gains arbitrary file read access on the server, the AI application’s security quickly begins to collapse. What initially appears to be a contained flaw becomes direct access to the system’s most sensitive secrets and internal state.”
For instance, attackers could leverage CVE-2026-22218 to read system files like “/proc/self/environ.” This could expose critical data such as API keys, credentials, and internal file paths, enabling deeper network penetration. In setups utilizing SQLAlchemy with an SQLite backend, this vulnerability could also be used to exfiltrate database files.
Following responsible disclosure on November 23, 2025, the Chainlit maintainers addressed both vulnerabilities. Version 2.9.4, released on December 24, 2025, is confirmed to fix these issues. “As organizations rapidly adopt AI frameworks and third-party components, long-standing classes of software vulnerabilities are being embedded directly into AI infrastructure,” Zafran noted. “These frameworks introduce new and often poorly understood attack surfaces, where well-known vulnerability classes can directly compromise AI-powered systems.”
Microsoft MarkItDown MCP Server Vulnerability Exposes AWS Instances
In related security news, BlueRock has disclosed a vulnerability in Microsoft’s MarkItDown Model Context Protocol (MCP) server. Dubbed MCP fURI, this flaw allows for the arbitrary calling of URI resources, posing risks of privilege escalation, SSRF, and data leakage for organizations. The vulnerability affects the MCP server when it is running within an Amazon Web Services (AWS) EC2 instance utilizing IMDSv1.
BlueRock explained that the vulnerability enables an attacker to use the Markitdown MCP tool, convert_to_markdown, to invoke any uniform resource identifier (URI). The lack of any restrictions on the URI allows any user, agent, or attacker to access HTTP or file resources. When a URI is provided to the Markitdown MCP server, it can be used to query the instance metadata of the server. If an instance role is associated, an attacker can obtain credentials, potentially gaining access to the AWS account, including access and secret keys.
BlueRock’s analysis of over 7,000 MCP servers indicated that more than 36.7% are likely susceptible to similar SSRF vulnerabilities. To mitigate these risks, BlueRock recommends securing instances against SSRF attacks by using IMDSv2, implementing private IP blocking, restricting access to metadata services, and establishing an allowlist to prevent data exfiltration.