CVE-2026-27941 | THREATINT

Description

OpenLIT is an open source platform for AI engineering. Prior to version 1.37.1, several GitHub Actions workflows in OpenLIT's GitHub repository use the `pull_request_target` event while checking out and executing untrusted code from forked pull requests. These workflows run with the security context of the base repository, including a write-privileged `GITHUB_TOKEN` and numerous sensitive secrets (API keys, database/vector store tokens, and a Google Cloud service account key). Version 1.37.1 contains a fix.

PUBLISHED Reserved 2026-02-25 | Published 2026-02-26 | Updated 2026-02-26 | Assigner GitHub_M

CRITICAL: 10.0CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Problem types

CWE-829: Inclusion of Functionality from Untrusted Control Sphere

Product status

< 1.37.1

affected

References

github.com/...penlit/security/advisories/GHSA-9jgv-x8cq-296q

github.com/...ommit/4a62039a1659d6cbb8913172693f587b5fc2546c

cve.org (CVE-2026-27941)

nvd.nist.gov (CVE-2026-27941)

Download JSON