CVE-2026-27941

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-27941

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27941.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-27941

Aliases

GHSA-9jgv-x8cq-296q

Published

2026-02-26T01:17:22.532Z

Modified

2026-04-02T13:22:15.327463Z

Severity

9.9 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator

Summary

OpenLIT Vulnerable to Remote Code Execution and Secret Exposure via Misuse of `pull_request_target` in GitHub Actions Workflows

Details

OpenLIT is an open source platform for AI engineering. Prior to version 1.37.1, several GitHub Actions workflows in OpenLIT's GitHub repository use the pull_request_target event while checking out and executing untrusted code from forked pull requests. These workflows run with the security context of the base repository, including a write-privileged GITHUB_TOKEN and numerous sensitive secrets (API keys, database/vector store tokens, and a Google Cloud service account key). Version 1.37.1 contains a fix.

Database specific

{
    "cwe_ids": [
        "CWE-829"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27941.json"
}

References

Affected packages

Git / github.com/openlit/openlit

Affected ranges

Type: GIT
Repo: https://github.com/openlit/openlit
Events: Introduced

f0fc8fa9f2a14eff70750aa81005076fe96e861b

Fixed

06d2a87184394ff6fefde48f7a3dd98001abd34c

Affected versions

openlit-1.*

openlit-1.15.1

openlit-1.15.2

openlit-1.15.3

openlit-1.15.4

openlit-1.16.0

py-1.*

py-1.36.2

py-1.36.3

py-1.36.6

py-1.36.7

py-1.36.8

py-1.36.9

py-1.37.0

ts-1.*

ts-1.8.0

ts-1.9.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27941.json"