Nate Nelson, Contributing Writer January 20, 2026 4 Min Read Source: robertharding via Alamy Stock Photo Two old fashioned software vulnerabilities in a hot artificial intelligence (AI) framework could have allowed attackers to take over users' cloud environments. Not every vulnerability affecting AI chatbots is about prompt injection (PI) , indirect prompt injection (IPI) , or any strange new threat vector. Strip away all the glitz, and AI technology is built on ordinary IT and cloud infrastructure. Thus, it's often vulnerable to the same sorts of bugs that any other IT and cloud applications are. "You have servers, Web applications, a user interface (UI), clients — so the attack surface for this kind of system is actually quite similar [and] Web vulnerabilities that we are used to seeing are still relevant in this kind of system," explains Gal Zaban, research team lead at Zafran Security. But, she adds, "it's even more risky because AI systems are usually connected to other services that you have in your company." In a new report , researchers at Zafran disclosed two high-severity vulnerabilities affecting "Chainlit," an open source framework for creating conversational chatbots. The framework has grown rapidly in recent months, and is now downloaded north of 200,000 times per week from the Python Package Index (PyPI). Chainlit released version 2.9.4 last month to fix the two vulnerabilities, which exposed millions of users to data loss, cloud account takeovers, and more. Vulnerabilities in Chainlit Broadly speaking, a chatbot technology stack can be broken up into three buckets. There's the frontend UI that users engage with, and the large language model (LLM) they're querying. Translating between the two is the back end, which in this case, ironically, sits in the middle. Chainlit, for example, handles both the front-end chatbot and the back-end Web server it runs on, and connects to existing language models via other open source frameworks. Thus, for a threat actor, Chainlit has two potential attack surfaces. They can try to talk a chatbot into doing malicious things for them. Or, as the Zafran researchers discovered, they can skip all the trickery and just get in through the other door. The first vulnerability they found, CVE-2026-22218 (CVSS 7.7), derives from Chainlit's feature for attaching files or other custom "elements" to messages. Using a specific API endpoint, an attacker can update these custom elements to point to any arbitrary files on the server. This includes files they otherwise shouldn't be able to access — configurations, database files, source code, etc. The server saves the file in the attacker's session, then the attacker can download it. The second, server-side request forgery (SSRF) bug, tracked as CVE-2026-22219 (CVSS 7.0), is triggered pretty much the same way. In implementations that use "SQLAlchemy" for data persistence, an attacker can send the server a custom element with a URL, and the server will go and fetch whatever's there, even if the attacker shouldn't otherwise be able to reach that URL. An attacker can use either vulnerability on its own. It might be even more effective, though, to learn about a target organization's innards and steal its secrets using bug one, then actually reach into those sensitive systems through bug two. Then cloud account access, lateral movement, data theft, even source code theft are all on the table. Specifically, Zafran researchers warned that if Chainlit is deployed on an Amazon Web Services (AWS) EC2 instance with Instance Metadata Service version 1 (IMDSv1) enabled, an attacker can exploit the SSRF flaw to access the service to obtain credentials and role endpoints (EC2 instances with IMDSv2 enable are not vulnerable). The AI Tradeoff: Functionality vs. Security It's not merely that AI is vulnerable to traditional software bugs, Zaban says. It's liable to be even more vulnerable than more boring, entrenched technologies. "Usually companies are combining a lot of AI frameworks together, chaining them, and then creating a solution using those different components from different maintainers. It creates a situation where you have a lot of code that not all developers are familiar with. And because companies need such rapid development, it creates vulnerabilities," she says. On top of it all, commercial AI is also endemically overpermissioned , undersecured , and typically interconnected with any other systems in earshot, making the consequences of familiar sorts of bugs far more more dangerous. "What we've seen in the market is that a very central value proposition of AI applications is their access to data of other applications — their ability to query and to act and to to be a force multiplier for users, to gain access to all of the insights that some platform has," says Ben Seri, chief technology officer (CTO) of Zafran Security. The flip side of interconnectivity, of course, is attack paths. "There is an unfortunate trade off," Seri says. "All of these advancements and capabilities drive value, but you incur risk." About the Author Nate Nelson, Contributing Writer Nate Nelson is a journalist and scriptwriter. He writes for "Darknet Diaries" — the most popular podcast in cybersecurity — and co-created the former Top 20 tech podcast "Malicious Life." Before joining Dark Reading, he was a reporter at Threatpost. See more from Nate Nelson, Contributing Writer