CVE-2026-27941
- Source
- https://cve.org/CVERecord?id=CVE-2026-27941
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27941.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-27941
- Aliases
-
- GHSA-9jgv-x8cq-296q
- Published
- 2026-02-26T01:17:22.532Z
- Modified
- 2026-03-03T02:56:51.821945Z
- Severity
-
- 9.9 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
- Summary
- OpenLIT Vulnerable to Remote Code Execution and Secret Exposure via Misuse of `pull_request_target` in GitHub Actions Workflows
- Details
-
OpenLIT is an open source platform for AI engineering. Prior to version 1.37.1, several GitHub Actions workflows in OpenLIT's GitHub repository use the
pull_request_targetevent while checking out and executing untrusted code from forked pull requests. These workflows run with the security context of the base repository, including a write-privilegedGITHUB_TOKENand numerous sensitive secrets (API keys, database/vector store tokens, and a Google Cloud service account key). Version 1.37.1 contains a fix. - Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27941.json", "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-829" ] }- References
Affected packages
Git / github.com/openlit/openlit
Affected ranges
- Type
- GIT
- Repo
- https://github.com/openlit/openlit
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
0.*
0.0.1
0.0.2
0.0.3
0.0.4
0.0.5
0.0.6
0.0.7
0.1.0
0.1.1
0.1.2
0.1.3
1.*
1.34.9
openlit-0.*
openlit-0.1.4
openlit-1.*
openlit-1.0.0
openlit-1.1.0
openlit-1.10.0
openlit-1.11.0
openlit-1.11.1
openlit-1.11.10
openlit-1.11.2
openlit-1.11.3
openlit-1.11.4
openlit-1.11.5
openlit-1.11.6
openlit-1.11.7
openlit-1.11.8
openlit-1.11.9
openlit-1.12.0
openlit-1.12.1
openlit-1.12.2
openlit-1.12.3
openlit-1.12.4
openlit-1.13.0
openlit-1.13.1
openlit-1.13.2
openlit-1.13.3
openlit-1.14.0
openlit-1.14.1
openlit-1.14.4
openlit-1.14.5
openlit-1.14.6
openlit-1.14.7
openlit-1.15.0
openlit-1.15.1
openlit-1.15.2
openlit-1.15.3
openlit-1.15.4
openlit-1.16.0
openlit-1.2.0
openlit-1.3.0
openlit-1.4.0
openlit-1.5.0
openlit-1.6.0
openlit-1.7.0
openlit-1.8.0
openlit-1.9.0
openlit-1.9.1
openlit-1.9.2
operator-0.*
operator-0.0.1
otel-gpu-collector-0.*
otel-gpu-collector-0.0.1
otel-gpu-collector-0.0.2
otel-gpu-collector-0.0.3
py-0.*
py-0.0.3
py-1.*
py-1.0.0
py-1.1.0
py-1.1.1
py-1.1.2
py-1.1.3
py-1.10.0
py-1.11.0
py-1.12.0
py-1.13.0
py-1.14.0
py-1.14.1
py-1.14.2
py-1.15.0
py-1.16.0
py-1.16.1
py-1.16.2
py-1.17.0
py-1.18.0
py-1.18.1
py-1.18.2
py-1.19.0
py-1.2.0
py-1.20.0
py-1.21.0
py-1.22.0
py-1.22.1
py-1.22.2
py-1.22.3
py-1.22.4
py-1.22.5
py-1.23.0
py-1.24.0
py-1.24.1
py-1.25.0
py-1.26.0
py-1.27.0
py-1.27.1
py-1.28.0
py-1.29.0
py-1.29.1
py-1.29.2
py-1.29.3
py-1.29.4
py-1.3.0
py-1.30.0
py-1.30.1
py-1.30.2
py-1.30.3
py-1.30.4
py-1.30.5
py-1.31.0
py-1.31.1
py-1.32.0
py-1.32.1
py-1.32.10
py-1.32.11
py-1.32.12
py-1.32.2
py-1.32.3
py-1.32.4
py-1.32.5
py-1.32.6
py-1.32.7
py-1.32.8
py-1.32.9
py-1.33.0
py-1.33.1
py-1.33.10
py-1.33.11
py-1.33.12
py-1.33.13
py-1.33.14
py-1.33.15
py-1.33.16
py-1.33.17
py-1.33.18
py-1.33.19
py-1.33.2
py-1.33.20
py-1.33.21
py-1.33.22
py-1.33.23
py-1.33.3
py-1.33.5
py-1.33.6
py-1.33.7
py-1.33.8
py-1.33.9
py-1.34.0
py-1.34.1
py-1.34.10
py-1.34.11
py-1.34.12
py-1.34.13
py-1.34.14
py-1.34.15
py-1.34.16
py-1.34.17
py-1.34.18
py-1.34.19
py-1.34.2
py-1.34.20
py-1.34.21
py-1.34.22
py-1.34.23
py-1.34.24
py-1.34.25
py-1.34.26
py-1.34.27
py-1.34.28
py-1.34.29
py-1.34.3
py-1.34.30
py-1.34.31
py-1.34.32
py-1.34.33
py-1.34.34
py-1.34.35
py-1.34.36
py-1.34.37
py-1.34.38
py-1.34.39
py-1.34.4
py-1.34.40
py-1.34.41
py-1.34.42
py-1.34.43
py-1.34.5
py-1.34.7
py-1.34.8
py-1.35.0
py-1.35.1
py-1.35.3
py-1.35.4
py-1.35.5
py-1.35.6
py-1.35.7
py-1.35.8
py-1.35.9
py-1.36.0
py-1.36.1
py-1.36.2
py-1.36.3
py-1.36.6
py-1.36.7
py-1.36.8
py-1.36.9
py-1.37.0
py-1.4.0
py-1.5.0
py-1.6.0
py-1.7.0
py-1.8.0
py-1.9.0
ts-1.*
ts-1.0.0
ts-1.1.0
ts-1.2.0
ts-1.3.0
ts-1.3.1
ts-1.4.0
ts-1.4.0-beta.1
ts-1.4.0-beta.3
ts-1.4.1
ts-1.5.0
ts-1.6.0
ts-1.7.0
ts-1.7.1
ts-1.8.0
ts-1.9.0