CVE-2026-22219: Chainlit SSRF — HIGH

Q: Is CVE-2026-22219 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-22219, increasing the risk of exploitation.

Q: How to fix CVE-2026-22219?

1. PATCH: Upgrade Chainlit to 2.9.4 immediately. Fix is in commit ffc3cce648b343b933e10e85ee5805c7e02ab3bf. 2. ENFORCE IMDSv2: On all cloud instances running Chainlit, disable IMDSv1 (AWS: aws ec2 modify-instance-metadata-options --http-tokens required --http-put-response-hop-limit 1). 3. EGRESS FILTERING: Apply strict outbound firewall rules blocking Chainlit process HTTP to RFC 1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and link-local (169.254.0.0/16). 4. PRINCIPLE OF LEAST PRIVILEGE: Audit and reduce IAM roles attached to Chainlit instances—assume credentials are already compromised if you cannot confirm patch status. 5. DETECT: Alert on outbound HTTP connections from Chainlit to internal IP ranges; review storage provider write logs for unexpected objects created by the Chainlit service identity. 6. WORKAROUND (pre-patch only): Block /project/element endpoint at WAF/reverse proxy layer, or disable the SQLAlchemy data layer if persistent chat is not required.

Q: What systems are affected by CVE-2026-22219?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, RAG pipelines, model serving, chatbot UI layers, multi-tenant AI applications.

Q: What is the CVSS score for CVE-2026-22219?

CVE-2026-22219 has a CVSS v3.1 base score of 7.7 (HIGH). The EPSS exploitation probability is 4.44%.

CISO Take

Any authenticated user of a Chainlit deployment using the SQLAlchemy data layer—including trial accounts or compromised end-users—can pivot from the chatbot UI directly to your cloud metadata service and exfiltrate IAM credentials. Patch to 2.9.4 immediately; in cloud environments with IMDSv1 enabled, this is a one-request path to full account takeover. Until patched, enforce IMDSv2 and block outbound HTTP from the Chainlit process to RFC 1918 and link-local ranges.

What is the risk?

Effective risk exceeds the CVSS 7.7 baseline for cloud-hosted AI deployments. The Changed Scope vector (S:C) confirms blast radius extends well beyond Chainlit itself—IMDS credential theft routinely leads to lateral movement and full cloud account compromise. Low privilege requirement (PR:L) means any authenticated end-user can trigger the exploit, not just privileged operators. EPSS 0.00037 indicates no mass exploitation observed yet, but IMDS SSRF is a well-documented attacker playbook item requiring zero specialized knowledge. Organizations running Chainlit on AWS, GCP, or Azure with permissive IAM roles face critical-level real-world risk despite the High (not Critical) CVSS label.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Chainlit	pip	< 2.9.4	`2.9.4`
12.2K 40 dependents Pushed 12d ago 67% patched ~7d to patch Full package profile →

Do you use Chainlit? You're affected.

How severe is it?

CVSS 3.1

7.7 / 10

EPSS

4.4%

chance of exploitation in 30 days

Higher than 90% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Changed

C High

I None

A None

What should I do?

6 steps

PATCH

Upgrade Chainlit to 2.9.4 immediately. Fix is in commit ffc3cce648b343b933e10e85ee5805c7e02ab3bf.
ENFORCE IMDSv2: On all cloud instances running Chainlit, disable IMDSv1 (AWS: aws ec2 modify-instance-metadata-options --http-tokens required --http-put-response-hop-limit 1).
EGRESS FILTERING

Apply strict outbound firewall rules blocking Chainlit process HTTP to RFC 1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and link-local (169.254.0.0/16).
PRINCIPLE OF LEAST PRIVILEGE

Audit and reduce IAM roles attached to Chainlit instances—assume credentials are already compromised if you cannot confirm patch status.
DETECT

Alert on outbound HTTP connections from Chainlit to internal IP ranges; review storage provider write logs for unexpected objects created by the Chainlit service identity.
WORKAROUND (pre-patch only): Block /project/element endpoint at WAF/reverse proxy layer, or disable the SQLAlchemy data layer if persistent chat is not required.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Privacy Violation Framework API AML.T0025 - Exfiltration via Cyber Means AML.T0035 - AI Artifact Collection AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials AML.T0075 - Cloud Service Discovery

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.1.4 - Information security in AI system development A.9.2 - AI System Incident Management

NIST AI RMF

MANAGE 2.2 - Mechanisms are in place and applied to respond to AI risks MANAGE-2.2 - Mechanisms for AI Risk Response

OWASP LLM Top 10

LLM02 - Sensitive Information Disclosure LLM02:2025 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2026-22219?

Any authenticated user of a Chainlit deployment using the SQLAlchemy data layer—including trial accounts or compromised end-users—can pivot from the chatbot UI directly to your cloud metadata service and exfiltrate IAM credentials. Patch to 2.9.4 immediately; in cloud environments with IMDSv1 enabled, this is a one-request path to full account takeover. Until patched, enforce IMDSv2 and block outbound HTTP from the Chainlit process to RFC 1918 and link-local ranges.

Is CVE-2026-22219 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-22219, increasing the risk of exploitation.

How to fix CVE-2026-22219?

1. PATCH: Upgrade Chainlit to 2.9.4 immediately. Fix is in commit ffc3cce648b343b933e10e85ee5805c7e02ab3bf. 2. ENFORCE IMDSv2: On all cloud instances running Chainlit, disable IMDSv1 (AWS: aws ec2 modify-instance-metadata-options --http-tokens required --http-put-response-hop-limit 1). 3. EGRESS FILTERING: Apply strict outbound firewall rules blocking Chainlit process HTTP to RFC 1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and link-local (169.254.0.0/16). 4. PRINCIPLE OF LEAST PRIVILEGE: Audit and reduce IAM roles attached to Chainlit instances—assume credentials are already compromised if you cannot confirm patch status. 5. DETECT: Alert on outbound HTTP connections from Chainlit to internal IP ranges; review storage provider write logs for unexpected objects created by the Chainlit service identity. 6. WORKAROUND (pre-patch only): Block /project/element endpoint at WAF/reverse proxy layer, or disable the SQLAlchemy data layer if persistent chat is not required.

What systems are affected by CVE-2026-22219?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, RAG pipelines, model serving, chatbot UI layers, multi-tenant AI applications.

What is the CVSS score for CVE-2026-22219?

CVE-2026-22219 has a CVSS v3.1 base score of 7.7 (HIGH). The EPSS exploitation probability is 4.44%.

What is the AI security impact?

Affected AI Architectures

agent frameworksRAG pipelinesmodel servingchatbot UI layersmulti-tenant AI applications

MITRE ATLAS Techniques

AML.T0025 Exfiltration via Cyber Means

AML.T0035 AI Artifact Collection

AML.T0049 Exploit Public-Facing Application

AML.T0055 Unsecured Credentials

AML.T0075 Cloud Service Discovery

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.1.4, A.9.2

NIST AI RMF: MANAGE 2.2, MANAGE-2.2

OWASP LLM Top 10: LLM02, LLM02:2025

What are the technical details?

Original Advisory

Chainlit versions prior to 2.9.4 contain a server-side request forgery (SSRF) vulnerability in the /project/element update flow when configured with the SQLAlchemy data layer backend. An authenticated client can provide a user-controlled url value in an Element, which is fetched by the SQLAlchemy element creation logic using an outbound HTTP GET request. This allows an attacker to make arbitrary HTTP requests from the Chainlit server to internal network services or cloud metadata endpoints and store the retrieved responses via the configured storage provider.

Exploitation Scenario

An attacker obtains any authenticated session to a Chainlit application—via a legitimate trial account, phishing a registered user, or credential stuffing. They issue a crafted POST to the /project/element endpoint with a url field set to http://169.254.169.254/latest/meta-data/iam/security-credentials/my-role. The Chainlit server, running on an EC2 instance with an attached IAM role, fetches this URL server-side and stores the JSON response—containing a live AccessKeyId, SecretAccessKey, and SessionToken—into the configured S3 bucket. The attacker retrieves the object from storage and uses the credentials to authenticate to AWS. With the IAM role's permissions (commonly broad in AI development environments), they enumerate S3 buckets containing training data and model weights, access internal model APIs, or establish persistence via new IAM users. The entire attack chain requires only authenticated HTTP access and standard tooling.

Weaknesses (CWE)

CWE-918 Server-Side Request Forgery (SSRF) Primary

CWE-918 — Server-Side Request Forgery (SSRF): The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Source: MITRE CWE corpus.