CVE Catalog

CVE-2026-22218

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Very high risk
8.84%

95th percentile - higher than 95% of all known CVEs

Summary

A vulnerability in Chainlit versions prior to 2.9.4 allows an authenticated attacker to read arbitrary files on the server by manipulating the path in a project element update request. The attacker can copy the file to their session and then retrieve it using the element identifier.

Risk Assessment

The risk involves potential disclosure of sensitive data such as configuration files, private keys, or user data readable by the Chainlit service.

Recommendation

Immediately upgrade Chainlit to version 2.9.4 or later, which fixes this vulnerability.

Original NVD description (English source)

Chainlit versions prior to 2.9.4 contain an arbitrary file read vulnerability in the /project/element update flow. An authenticated client can send a custom Element with a user-controlled path value, causing the server to copy the referenced file into the attacker’s session. The resulting element identifier (chainlitKey) can then be used to retrieve the file contents via /project/file/<chainlitKey>, allowing disclosure of any file readable by the Chainlit service.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS