CRITICAL🇵🇱 Wersja polska

CVE-2026-27941

CVSS 9.9v3.1pub. 2026-02-26upd. 2026-03-06

OpenLIT is an open source platform for AI engineering. Prior to version 1.37.1, several GitHub Actions workflows in OpenLIT's GitHub repository use the `pull_request_target` event while checking out and executing untrusted code from forked pull requests. These workflows run with the security context of the base repository, including a write-privileged `GITHUB_TOKEN` and numerous sensitive secrets (API keys, database/vector store tokens, and a Google Cloud service account key). Version 1.37.1 contains a fix.

🤖 AI Analysis
How it works

GitHub Actions workflows in the OpenLIT repository use the `pull_request_target` event, which runs the workflow in the context of the base repository — even when the code comes from an external fork. An attacker can open a malicious pull request from a fork, and their code will be retrieved and executed in a privileged context. This grants access to the GITHUB_TOKEN with write permissions and sensitive secrets such as API keys, database tokens, and Google Cloud service account keys.

Impact

An attacker authenticated as an external contributor can gain full access to sensitive repository secrets and perform privileged operations in the CI/CD environment, which may lead to compromise of the entire software supply chain (supply chain attack).

Mitigation & patch

OpenLIT should be updated to version 1.37.1, which contains a fix eliminating the vulnerable use of the `pull_request_target` event. Details of the fix are available in commit 4a62039a1659d6cbb8913172693f587b5fc2546c and in security advisory GHSA-9jgv-x8cq-296q.

Who is affected

OpenLIT Software Development Kit (OpenLIT platform) in versions prior to 1.37.1

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Openlit Software Development Kit

    APP
    Openlit
    1.36.2 – 1.37.1 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
CI/CD
CWE
References