CVE-2026-27941

OpenLIT Vulnerable to Remote Code Execution and Secret Exposure via Misuse of `pull_request_target` in GitHub Actions Workflows

Assigner: GitHub_M
Reserved: 25.02.2026 Published: 26.02.2026 Updated: 26.02.2026

OpenLIT is an open source platform for AI engineering. Prior to version 1.37.1, several GitHub Actions workflows in OpenLIT's GitHub repository use the pull_request_target event while checking out and executing untrusted code from forked pull requests. These workflows run with the security context of the base repository, including a write-privileged GITHUB_TOKEN and numerous sensitive secrets (API keys, database/vector store tokens, and a Google Cloud service account key). Version 1.37.1 contains a fix.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CVSS Score: 10

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	openlit
Product	openlit
Versions	Version < 1.37.1 is affected

Vendor

openlit

Product

openlit

Versions

Version < 1.37.1 is affected

References

Problem Types

CWE-829: Inclusion of Functionality from Untrusted Control Sphere CWE

CVE-2026-27941 PUBLISHED

OpenLIT Vulnerable to Remote Code Execution and Secret Exposure via Misuse of `pull_request_target` in GitHub Actions Workflows

Metrics

Product Status

References

Problem Types