CVE-2026-22218

EUVD-2026-3345

20.01.2026, 00:15

Chainlit versions prior to 2.9.4 contain an arbitrary file read vulnerability in the /project/element update flow. An authenticated client can send a custom Element with a user-controlled path value, causing the server to copy the referenced file into the attacker’s session. The resulting element identifier (chainlitKey) can then be used to retrieve the file contents via /project/file/<chainlitKey>, allowing disclosure of any file readable by the Chainlit service.

Path Traversal

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.5 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 8%

Affected Products (NVD)

Vendor	Product	Version
chainlit	chainlit	𝑥 < 2.9.4

𝑥

= Vulnerable software versions

Known Exploits!

https://www.zafran.io/resources/chainleak-critical-ai-framework-vulnerabilities-expose-data-enable-cloud-takeover

Common Weakness Enumeration

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Vulnerability Media Exposure

[ENGLISH] Chainlit Security Flaws Highlight Infrastructure Risks in AI Apps
2 security vulnerabilities in the Chainlit framework expose risks from web flaws in AI applications
Published: 2026-01-20T16:30:00+00:00

References

https://github.com/Chainlit/chainlit/releases/tag/2.9.4

https://www.vulncheck.com/advisories/chainlit-arbitrary-file-read-via-project-element

https://www.zafran.io/resources/chainleak-critical-ai-framework-vulnerabilities-expose-data-enable-cloud-takeover