CVE-2026-22219
Published: 20 January 2026
Summary
CVE-2026-22219 is a high-severity SSRF (CWE-918) vulnerability in Chainlit Chainlit. Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 12.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SC-7 (Boundary Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Validates user-controlled URL inputs in the /project/element update flow to prevent SSRF exploitation by ensuring only authorized URLs are processed.
Monitors and controls outbound HTTP requests at system boundaries to block access to internal network services or cloud metadata endpoints.
Enforces approved information flow policies to restrict server-initiated connections based on user-supplied URLs to authorized destinations only.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in public-facing Chainlit web app directly enables exploitation of the application (T1190) and outbound requests to cloud metadata services (T1552.005) or internal hosts for service discovery (T1046).
NVD Description
Chainlit versions prior to 2.9.4 contain a server-side request forgery (SSRF) vulnerability in the /project/element update flow when configured with the SQLAlchemy data layer backend. An authenticated client can provide a user-controlled url value in an Element, which is fetched…
more
by the SQLAlchemy element creation logic using an outbound HTTP GET request. This allows an attacker to make arbitrary HTTP requests from the Chainlit server to internal network services or cloud metadata endpoints and store the retrieved responses via the configured storage provider.
Deeper analysisAI
CVE-2026-22219 is a server-side request forgery (SSRF) vulnerability, classified under CWE-918, affecting Chainlit versions prior to 2.9.4 when configured with the SQLAlchemy data layer backend. The flaw exists in the /project/element update flow, where an authenticated client can supply a user-controlled URL value within an Element. This triggers the SQLAlchemy element creation logic to perform an outbound HTTP GET request to the specified URL.
An authenticated attacker with low privileges can exploit this vulnerability over the network with low complexity and no user interaction required. By controlling the URL, they can direct the Chainlit server to issue arbitrary HTTP requests to internal network services or cloud metadata endpoints, such as instance metadata services. The retrieved responses are then stored via the configured storage provider, enabling potential data exfiltration. The CVSS v3.1 base score is 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N), reflecting high confidentiality impact due to the changed scope.
The Chainlit project addresses this issue in version 2.9.4, as detailed in their GitHub release notes. Additional guidance appears in advisories from Vulncheck, which covers the SQLAlchemy data layer SSRF via project elements, and Zafran Security, discussing critical vulnerabilities in the AI framework including data exposure and cloud takeover risks.
This vulnerability impacts Chainlit, a framework used for building conversational AI applications, underscoring SSRF risks in AI/ML deployment environments particularly for internal network pivoting and metadata access.
Details
- CWE(s)