CVE-2026-22219
HIGH
GHSA-2g59-m95p-pgfq
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
4Description
Chainlit versions prior to 2.9.4 contain a server-side request forgery (SSRF) vulnerability in the /project/element update flow when configured with the SQLAlchemy data layer backend. An authenticated client can provide a user-controlled url value in an Element, which is fetched by the SQLAlchemy element creation logic using an outbound HTTP GET request. This allows an attacker to make arbitrary HTTP requests from the Chainlit server to internal network services or cloud metadata endpoints and store the retrieved responses via the configured storage provider.
Analysis
Chainlit versions before 2.9.4 with SQLAlchemy backend contain a server-side request forgery vulnerability in the project element update endpoint that allows authenticated attackers to make arbitrary HTTP requests from the server. Public exploit code exists for this vulnerability, enabling attackers to reach internal network services, cloud metadata endpoints, and store responses through the configured storage system. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 7 days: Identify all affected systems and apply vendor patches promptly. Implement egress filtering and URL validation for server-side requests.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today