CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Chainlit Framework Vulnerabilities Expose AI Application Infrastructure

First reported
Last updated
3 unique sources, 3 articles

Summary

Hide ▲

Two high-severity vulnerabilities in the Chainlit framework, tracked as CVE-2026-22218 and CVE-2026-22219, allow authenticated users to read arbitrary files and perform server-side request forgery (SSRF), potentially exposing sensitive data and cloud resources. These vulnerabilities, collectively dubbed ChainLeak by Zafran Security, were responsibly disclosed on November 23, 2025, and patched on December 24, 2025, with the release of Chainlit version 2.9.4. Chainlit, widely used for building conversational AI applications, has seen significant adoption with over 7.3 million downloads to date, including 220,000 in the past week alone. The vulnerabilities highlight the risks posed by traditional web flaws in AI application environments, particularly in enterprise deployments and academic institutions.

Timeline

  1. 20.01.2026 18:30 3 articles · 2d ago

    Chainlit Releases Patch for Critical Security Vulnerabilities

    Chainlit released a patched version (2.9.4) on 24 December 2025 to address two critical security vulnerabilities (CVE-2026-22218 and CVE-2026-22219) that allow authenticated users to read arbitrary files and perform server-side request forgery (SSRF). These vulnerabilities, collectively dubbed ChainLeak by Zafran Security, were responsibly disclosed on November 23, 2025. The vulnerabilities highlight the risks posed by traditional web flaws in AI application environments. Chainlit has been downloaded over 220,000 times in the past week and has attracted a total of 7.3 million downloads to date. CVE-2026-22218 can be exploited via the /project/element endpoint by submitting a custom element with a controlled 'path' field, allowing attackers to read any file accessible to the Chainlit server, including sensitive information such as API keys, cloud account credentials, source code, internal configuration files, SQLite databases, and authentication secrets. CVE-2026-22219 affects Chainlit deployments using the SQLAlchemy data layer and is exploited by setting the 'url' field of a custom element, forcing the server to fetch the URL via an outbound GET request and storing the response. The vulnerabilities can be combined into a single attack chain enabling full-system compromise and lateral movement in cloud environments.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Three Flaws in Anthropic MCP Git Server Enable File Access and Code Execution

Three vulnerabilities in the mcp-server-git, maintained by Anthropic, allow file access, deletion, and code execution via prompt injection. The flaws have been addressed in versions 2025.9.25 and 2025.12.18. The vulnerabilities include path traversal and argument injection issues that can be exploited to manipulate Git repositories and execute arbitrary code. The issues were disclosed by Cyata researcher Yarden Porat, highlighting the risks of prompt injection attacks without direct system access. The vulnerabilities affect all versions of mcp-server-git released before December 8, 2025, and apply to default installations. An attacker only needs to influence what an AI assistant reads to trigger the vulnerabilities. The flaws allow attackers to execute code, delete arbitrary files, and load arbitrary files into a large language model's context. While the vulnerabilities do not directly exfiltrate data, sensitive files may still be exposed to the AI, creating downstream security and privacy risks. The vulnerabilities have been assigned CVE-2025-68143, CVE-2025-68144, and CVE-2025-68145.

Open in new tab

Microsoft December 2025 Patch Tuesday addresses 3 zero-days, 56 flaws

Microsoft's December 2025 Patch Tuesday addresses 56 vulnerabilities, including three zero-days. One zero-day (CVE-2025-62221) is actively exploited, allowing privilege escalation in Windows Cloud Files Mini Filter Driver. Two other zero-days (CVE-2025-64671, CVE-2025-54100) are publicly disclosed, affecting GitHub Copilot for JetBrains and PowerShell. The updates also fix 3 critical remote code execution vulnerabilities. Additionally, Microsoft released the KB5071546 extended security update for Windows 10 Enterprise LTSC and ESU program participants, addressing the same vulnerabilities and updating Windows 10 to build 19045.6691 and Windows 10 Enterprise LTSC 2021 to build 19044.6691. The update includes a fix for CVE-2025-54100, a remote code execution zero-day vulnerability in PowerShell, and introduces a confirmation prompt with a security warning for script execution risk when using the Invoke-WebRequest command in PowerShell 5.1. Microsoft patched a total of 1,275 CVEs in 2025, according to data compiled by Fortra. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-62221 to the Known Exploited Vulnerabilities (KEV) catalog, mandating FCEB agencies to apply the patch by December 30, 2025. The remaining two zero-days, CVE-2025-54100 and CVE-2025-64671, are part of a broader set of security vulnerabilities collectively named IDEsaster, affecting multiple AI coding platforms.

Open in new tab

ShadowMQ Vulnerabilities in AI Inference Frameworks

Researchers have discovered critical remote code execution vulnerabilities in AI inference engines from Meta, Nvidia, Microsoft, and open-source projects like PyTorch. The issue, dubbed ShadowMQ, stems from unsafe use of ZeroMQ (ZMQ) and Python's pickle deserialization, allowing attackers to execute arbitrary code by sending malicious data for deserialization. The vulnerabilities have been found in multiple frameworks, including Llama, TensorRT-LLM, Sarathi-Serve, Modular Max Server, vLLM, and SGLang, with some already patched and others remaining vulnerable. Additionally, three critical security flaws have been disclosed in an open-source utility called Picklescan that could allow malicious actors to execute arbitrary code by loading untrusted PyTorch models, effectively bypassing the tool's protections.

Open in new tab

Increased Botnet Activity Targeting PHP Servers, IoT Devices, and Cloud Gateways

Botnets such as Mirai, Gafgyt, and Mozi are exploiting known vulnerabilities and cloud misconfigurations to target PHP servers, IoT devices, and cloud gateways. This trend is driven by the widespread use of PHP in web applications and the prevalence of cloud misconfigurations, which expand the attack surface. The attacks aim at remote code execution (RCE) and data theft. The vulnerabilities exploited include CVE-2022-47945 in ThinkPHP, CVE-2021-3129 in Laravel Ignition, and CVE-2017-9841 in PHPUnit. Additionally, insecure configurations and exposed AWS credentials are being targeted. IoT devices with outdated firmware and cloud-native environments are also at risk, with botnets being used for credential stuffing and password spraying campaigns. Xdebug debugging sessions are being exploited to gain insight into application behavior or extract sensitive data. The scanning activity often originates from cloud infrastructures like Amazon Web Services (AWS), Google Cloud, Microsoft Azure, Digital Ocean, and Akamai Cloud, illustrating how threat actors are abusing legitimate services to their advantage while obscuring their true origins.

Open in new tab

ConnectWise Automate vulnerabilities patched

ConnectWise has released a security update for its Automate product to address two vulnerabilities. The most severe, CVE-2025-11492, allows for cleartext transmission of sensitive information, potentially exposing communications to adversary-in-the-middle (AiTM) attacks. The second, CVE-2025-11493, involves a lack of integrity verification for update packages. The vulnerabilities affect on-premises deployments of Automate, a remote monitoring and management (RMM) platform used by managed service providers (MSPs) and IT departments. The update is marked as a moderate priority, and administrators are advised to install it as soon as possible. These vulnerabilities could allow attackers to intercept or modify traffic, including commands, credentials, and update payloads, potentially leading to the installation of malicious files. The Automate 2025.9 patch enforces HTTPS for all agent communications to mitigate these risks. Partners running on-prem servers should also ensure TLS 1.2 is enforced to maintain secure communications.

Open in new tab