CVE-2025-68492 — MEDIUM (CVSS 4.2) AI Security Vulnerability

CISO Take

Chainlit deployments running versions prior to 2.8.5 expose an authorization bypass that lets any authenticated user read other users' AI conversation threads or hijack thread ownership. Patch immediately to 2.8.5—Chainlit threads routinely contain sensitive LLM prompts, business context, and RAG-retrieved data that users assume is private. Audit all Chainlit instances across your AI stack, including internal copilots and customer-facing chat interfaces.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
chainlit	pip	< 2.8.5	`2.8.5`

Do you use chainlit? You're affected.

Severity & Risk

CVSS 3.1

4.2 / 10

EPSS

0.0%

chance of exploitation in 30 days

KEV Status

Not in KEV

Sophistication

Trivial

Recommended Action

1. PATCH: Upgrade all Chainlit instances to 2.8.5+ immediately—the fix is available and straightforward. 2. AUDIT: Query access logs for thread reads where the requesting user does not match thread owner; flag anomalous enumeration patterns. 3. ISOLATE: If patching is delayed, restrict Chainlit behind VPN or add WAF rules to block cross-user thread ID enumeration attempts. 4. DATA MINIMIZATION: Review what sensitive content is persisted in Chainlit threads—avoid storing API keys, PII, or system prompts in thread history. 5. DETECT: Implement alerting on thread access where session user differs from thread owner at the application layer.

Classification

Auth Bypass Data Leakage Framework Agent AML.T0012 - Valid Accounts AML.T0036 - Data from Information Repositories AML.T0040 - AI Model Inference API Access AML.T0049 - Exploit Public-Facing Application AML.T0057 - LLM Data Leakage AML.T0080.001 - Thread AML.T0085 - Data from AI Services

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system Article 10 - Data and data governance

ISO 42001

A.6.1.4 - AI system access control A.6.2.6 - Access to AI system resources

NIST AI RMF

GOVERN-1.2 - Accountability structures are in place MANAGE 2.4 - Residual risks and treatment

OWASP LLM Top 10

LLM02 - Sensitive Information Disclosure LLM02:2025 - Sensitive Information Disclosure

Technical Details

NVD Description

Chainlit versions prior to 2.8.5 contain an authorization bypass through user-controlled key vulnerability. If this vulnerability is exploited, threads may be viewed or thread ownership may be obtained by an attacker who can log in to the product.

Exploitation Scenario

An attacker creates a low-privilege account on a multi-user Chainlit deployment (e.g., an internal AI assistant or customer-facing LLM product). They observe that thread IDs in API requests to /thread/{id} are sequential, UUID-based but discoverable, or leaked via other endpoints. By iterating or guessing thread IDs with their authenticated session, they read conversation histories of other users—potentially exposing executive AI assistant sessions containing M&A context, HR queries, or embedded customer data. In a more targeted attack, the adversary obtains ownership of a specific high-value thread and injects adversarial context before the victim resumes their session, covertly manipulating the LLM's behavior through thread-context poisoning without any model access.

Weaknesses (CWE)

CWE-639 Authorization Bypass Through User-Controlled Key Primary

CVSS Vector

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

References

Timeline

Published

January 14, 2026

Last Modified

January 14, 2026

First Seen

March 24, 2026