CVE-2026-22218
MediumCVSS 6.5Exploitation Probability (EPSS)
Very high risk95th percentile - higher than 95% of all known CVEs
Summary
A vulnerability in Chainlit versions prior to 2.9.4 allows an authenticated attacker to read arbitrary files on the server by manipulating the path in a project element update request. The attacker can copy the file to their session and then retrieve it using the element identifier.
Risk Assessment
The risk involves potential disclosure of sensitive data such as configuration files, private keys, or user data readable by the Chainlit service.
Recommendation
Immediately upgrade Chainlit to version 2.9.4 or later, which fixes this vulnerability.
Original NVD description (English source)
Chainlit versions prior to 2.9.4 contain an arbitrary file read vulnerability in the /project/element update flow. An authenticated client can send a custom Element with a user-controlled path value, causing the server to copy the referenced file into the attacker’s session. The resulting element identifier (chainlitKey) can then be used to retrieve the file contents via /project/file/<chainlitKey>, allowing disclosure of any file readable by the Chainlit service.

