Ido Shani
Ido is a Security Researcher at Zafran, specializing in vulnerability research of open-source Python packages. With a background in security product research, he is currently focused on detecting logical vulnerabilities within AI infrastructure projects.
Session
As organizations rapidly adopt AI frameworks and third-party components, traditional software
vulnerabilities are increasingly being introduced into AI infrastructure. While AI security discussions often
focus on model level issues such as prompt injections, the most dangerous risks frequently arise from
traditional software vulnerabilities within the frameworks that power AI systems.
In this talk, we will present two vulnerabilities we discovered in Chainlit, a widely used open-source
framework that helps building conversational AI apps (CVE-2026-22218 and CVE-2026-22219). The issues
affect internet-facing AI systems and can be triggered remotely, enabling attackers to steal sensitive files,
leak cloud API keys and secrets, and perform server-side request forgery (SSRF) on the AI framework
server. We confirmed the vulnerabilities in real world, internet facing applications used by major
enterprises, demonstrating how a framework layer vulnerabilities can escalate to cloud level impact.
We will walk through the technical details of the vulnerabilities and the exploitation chain that leads to
server compromise and credential exposure. We’ll also show how leaking artifacts such as cached
conversation history, configuration files, or environment variables can reveal highly sensitive enterprise
data.