Safety vulnerabilities had been uncovered within the in style open-source synthetic intelligence (AI) framework Chainlit that would permit attackers to steal delicate knowledge, which can permit for lateral motion inside a inclined group.
Zafran Safety mentioned the high-severity flaws, collectively dubbed ChainLeak, might be abused to leak cloud setting API keys and steal delicate recordsdata, or carry out server-side request forgery (SSRF) assaults towards servers internet hosting AI functions.
Chainlit is a framework for creating conversational chatbots. In response to statistics shared by the Python Software program Basis, the package deal has been downloaded over 220,000 occasions over the previous week. It has attracted a complete of seven.3 million downloads to this point.
Particulars of the 2 vulnerabilities are as follows –
- CVE-2026-22218 (CVSS rating: 7.1) – An arbitrary file learn vulnerability within the “/challenge/ingredient” replace movement that enables an authenticated attacker to entry the contents of any file readable by the service into their very own session as a result of an absence of validation of user-controller fields
- CVE-2026-22219 (CVSS rating: 8.3) – An SSRF vulnerability within the “/challenge/ingredient” replace movement when configured with the SQLAlchemy knowledge layer backend that enables an attacker to make arbitrary HTTP requests to inner community providers or cloud metadata endpoints from the Chainlit server and retailer the retrieved responses
“The 2 Chainlit vulnerabilities will be mixed in a number of methods to leak delicate knowledge, escalate privileges, and transfer laterally throughout the system,” Zafran researchers Gal Zaban and Ido Shani mentioned. “As soon as an attacker beneficial properties arbitrary file learn entry on the server, the AI utility’s security rapidly begins to break down. What initially seems to be a contained flaw turns into direct entry to the system’s most delicate secrets and techniques and inner state.”
For example, an attacker can weaponize CVE-2026-22218 to learn “/proc/self/environ,” permitting them to glean beneficial info reminiscent of API keys, credentials, and inner file paths that might be used to burrow deeper into the compromised community and even acquire entry to the appliance supply code. Alternatively, it may be used to leak database recordsdata if the setup makes use of SQLAlchemy with an SQLite backend as its knowledge layer.
Following accountable disclosure on November 23, 2025, each vulnerabilities had been addressed by Chainlit in model 2.9.4 launched on December 24, 2025.
“As organizations quickly undertake AI frameworks and third-party parts, long-standing lessons of software program vulnerabilities are being embedded immediately into AI infrastructure,” Zafran mentioned. “These frameworks introduce new and sometimes poorly understood assault surfaces, the place well-known vulnerability lessons can immediately compromise AI-powered techniques.”
Flaw in Microsoft MarkItDown MCP Server
The disclosure comes as BlueRock disclosed a vulnerability in Microsoft’s MarkItDown Mannequin Context Protocol (MCP) server dubbed MCP fURI that allows arbitrary calling of URI sources, exposing organizations to privilege escalation, SSRF, and knowledge leakage assaults. The shortcoming impacts the server when working in an Amazon Internet Providers (AWS) EC2 occasion utilizing IDMSv1.
“This vulnerability permits an attacker to execute the Markitdown MCP software convert_to_markdown to name an arbitrary uniform useful resource identifier (URI),” BlueRock mentioned. “The dearth of any boundaries on the URI permits any consumer, agent, or attacker calling the software to entry any HTTP or file useful resource.”
“When offering a URI to the Markitdown MCP server, this can be utilized to question the occasion metadata of the server. A consumer can then get hold of credentials to the occasion if there’s a position related, providing you with entry to the AWS account, together with the entry and secret keys.”
The agentic AI security firm mentioned its evaluation of greater than 7,000 MCP servers discovered that over 36.7% of them are probably uncovered to comparable SSRF vulnerabilities. To mitigate the chance posed by the difficulty, it is suggested to make use of IMDSv2 to safe towards SSRF assaults, implement personal IP blocking, limit entry to metadata providers, and create an allowlist to stop knowledge exfiltration.
