AI Threat Alert

CVE-2025-68492: chainlit: IDOR enables unauthorized data access

GHSA-v492-6xx2-p57g MEDIUM
Published January 14, 2026
CISO Take

Chainlit deployments running versions prior to 2.8.5 expose an authorization bypass that lets any authenticated user read other users' AI conversation threads or hijack thread ownership. Patch immediately to 2.8.5—Chainlit threads routinely contain sensitive LLM prompts, business context, and RAG-retrieved data that users assume is private. Audit all Chainlit instances across your AI stack, including internal copilots and customer-facing chat interfaces.

What is the risk?

Medium severity by CVSS, but contextually elevated for AI deployments. The AC:H rating reflects implementation-specific complexity; in practice, IDOR-style thread ID enumeration is low-effort once an attacker holds any valid account. Exposure amplifies in multi-tenant or internal AI assistant deployments where thread data contains proprietary system prompts, customer PII, or embedded business intelligence. Low EPSS (0.00014) and absence from KEV suggest no active exploitation, but the fix is trivial—patching cost is near-zero versus potential data exposure.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Chainlit pip < 2.8.5 2.8.5
12.2K 40 dependents Pushed 12d ago 67% patched ~7d to patch Full package profile →

Do you use Chainlit? You're affected.

How severe is it?

CVSS 3.1
4.2 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 12% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC High
PR Low
UI None
S Unchanged
C Low
I Low
A None

What should I do?

5 steps

  1. PATCH

    Upgrade all Chainlit instances to 2.8.5+ immediately—the fix is available and straightforward.

  2. AUDIT

    Query access logs for thread reads where the requesting user does not match thread owner; flag anomalous enumeration patterns.

  3. ISOLATE

    If patching is delayed, restrict Chainlit behind VPN or add WAF rules to block cross-user thread ID enumeration attempts.

  4. DATA MINIMIZATION

    Review what sensitive content is persisted in Chainlit threads—avoid storing API keys, PII, or system prompts in thread history.

  5. DETECT

    Implement alerting on thread access where session user differs from thread owner at the application layer.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Auth Bypass Data Leakage Framework Agent AML.T0012 AML.T0036 AML.T0040 AML.T0049 AML.T0057 AML.T0080.001 AML.T0085

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 9 - Risk management system Article 10 - Data and data governance
ISO 42001
A.6.1.4 - AI system access control A.6.2.6 - Access to AI system resources
NIST AI RMF
GOVERN-1.2 - Accountability structures are in place MANAGE 2.4 - Residual risks and treatment
OWASP LLM Top 10
LLM02 - Sensitive Information Disclosure LLM02:2025 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2025-68492?

Chainlit deployments running versions prior to 2.8.5 expose an authorization bypass that lets any authenticated user read other users' AI conversation threads or hijack thread ownership. Patch immediately to 2.8.5—Chainlit threads routinely contain sensitive LLM prompts, business context, and RAG-retrieved data that users assume is private. Audit all Chainlit instances across your AI stack, including internal copilots and customer-facing chat interfaces.

Is CVE-2025-68492 actively exploited?

No confirmed active exploitation of CVE-2025-68492 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-68492?

1. PATCH: Upgrade all Chainlit instances to 2.8.5+ immediately—the fix is available and straightforward. 2. AUDIT: Query access logs for thread reads where the requesting user does not match thread owner; flag anomalous enumeration patterns. 3. ISOLATE: If patching is delayed, restrict Chainlit behind VPN or add WAF rules to block cross-user thread ID enumeration attempts. 4. DATA MINIMIZATION: Review what sensitive content is persisted in Chainlit threads—avoid storing API keys, PII, or system prompts in thread history. 5. DETECT: Implement alerting on thread access where session user differs from thread owner at the application layer.

What systems are affected by CVE-2025-68492?

This vulnerability affects the following AI/ML architecture patterns: LLM chat interfaces, agent frameworks, multi-user AI applications, RAG pipelines, conversational AI platforms.

What is the CVSS score for CVE-2025-68492?

CVE-2025-68492 has a CVSS v3.1 base score of 4.2 (MEDIUM). The EPSS exploitation probability is 0.22%.

What is the AI security impact?

Affected AI Architectures

LLM chat interfacesagent frameworksmulti-user AI applicationsRAG pipelinesconversational AI platforms

MITRE ATLAS Techniques

AML.T0012 Valid Accounts
AML.T0036 Data from Information Repositories
AML.T0040 AI Model Inference API Access
AML.T0049 Exploit Public-Facing Application
AML.T0057 LLM Data Leakage
AML.T0080.001 Thread
AML.T0085 Data from AI Services

Compliance Controls Affected

EU AI Act: Art. 9, Article 10
ISO 42001: A.6.1.4, A.6.2.6
NIST AI RMF: GOVERN-1.2, MANAGE 2.4
OWASP LLM Top 10: LLM02, LLM02:2025

What are the technical details?

Original Advisory

Chainlit versions prior to 2.8.5 contain an authorization bypass through user-controlled key vulnerability. If this vulnerability is exploited, threads may be viewed or thread ownership may be obtained by an attacker who can log in to the product.

Exploitation Scenario

An attacker creates a low-privilege account on a multi-user Chainlit deployment (e.g., an internal AI assistant or customer-facing LLM product). They observe that thread IDs in API requests to /thread/{id} are sequential, UUID-based but discoverable, or leaked via other endpoints. By iterating or guessing thread IDs with their authenticated session, they read conversation histories of other users—potentially exposing executive AI assistant sessions containing M&A context, HR queries, or embedded customer data. In a more targeted attack, the adversary obtains ownership of a specific high-value thread and injects adversarial context before the victim resumes their session, covertly manipulating the LLM's behavior through thread-context poisoning without any model access.

Weaknesses (CWE)

CWE-639 Authorization Bypass Through User-Controlled Key Primary

CWE-639 — Authorization Bypass Through User-Controlled Key: The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

  • [Architecture and Design] For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
  • [Architecture and Design, Implementation] Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

References

Timeline

Published
January 14, 2026
Last Modified
January 14, 2026
First Seen
March 24, 2026

Related Vulnerabilities

HIGH CVE-2026-56104 8.2

Chainlit: session hijacking via WebSocket restoration

Same package: chainlit
HIGH CVE-2026-22219 7.7

chainlit: SSRF allows internal network access

Same package: chainlit
CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same attack type: Data Leakage
CRITICAL CVE-2025-53767 10.0

Azure OpenAI: SSRF EoP, no auth required (CVSS 10)

Same attack type: Auth Bypass
CRITICAL CVE-2025-2828 10.0

LangChain RequestsToolkit: SSRF exposes cloud metadata

Same attack type: Auth Bypass
Back to Threat Feed