CVE-2026-27941

OpenLIT is an open source platform for AI engineering. Prior to version 1.37.1, several GitHub Actions workflows in OpenLIT's GitHub repository use the `pull_request_target` event while checking out and executing untrusted code from forked pull requests. These workflows run with the security context of the base repository, including a write-privileged `GITHUB_TOKEN` and numerous sensitive secrets (API keys, database/vector store tokens, and a Google Cloud service account key). Version 1.37.1 contains a fix.

CVSS v3 9.9 CRITICAL

9.9^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.1 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/openlit/openlit/commit/4a62039a1659d6cbb8913172693f587b5fc2546c	Patch
https://github.com/openlit/openlit/security/advisories/GHSA-9jgv-x8cq-296q	Exploit Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:openlit:openlit_software_development_kit:*:*:*:*:*:python:*:*

History

No history.

Information

Published : 2026-02-26 02:16

Updated : 2026-03-06 20:06

NVD link : CVE-2026-27941

Mitre link : CVE-2026-27941

CVE.ORG link : CVE-2026-27941

JSON object : View

Products Affected

openlit

openlit_software_development_kit

CWE

CWE-829

Inclusion of Functionality from Untrusted Control Sphere

{"id": "CVE-2026-27941", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.9, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 3.1}]}, "published": "2026-02-26T02:16:22.160", "references": [{"url": "https://github.com/openlit/openlit/commit/4a62039a1659d6cbb8913172693f587b5fc2546c", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/openlit/openlit/security/advisories/GHSA-9jgv-x8cq-296q", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-829"}]}], "descriptions": [{"lang": "en", "value": "OpenLIT is an open source platform for AI engineering. Prior to version 1.37.1, several GitHub Actions workflows in OpenLIT's GitHub repository use the `pull_request_target` event while checking out and executing untrusted code from forked pull requests. These workflows run with the security context of the base repository, including a write-privileged `GITHUB_TOKEN` and numerous sensitive secrets (API keys, database/vector store tokens, and a Google Cloud service account key). Version 1.37.1 contains a fix."}, {"lang": "es", "value": "OpenLIT es una plataforma de c\u00f3digo abierto para ingenier\u00eda de IA. Antes de la versi\u00f3n 1.37.1, varios flujos de trabajo de GitHub Actions en el repositorio de GitHub de OpenLIT utilizan el evento 'pull_request_target' mientras extraen y ejecutan c\u00f3digo no confiable de solicitudes de extracci\u00f3n bifurcadas. Estos flujos de trabajo se ejecutan con el contexto de seguridad del repositorio base, incluyendo un 'GITHUB_TOKEN' con privilegios de escritura y numerosos secretos sensibles (claves de API, tokens de base de datos/almac\u00e9n vectorial y una clave de cuenta de servicio de Google Cloud). La versi\u00f3n 1.37.1 contiene una correcci\u00f3n."}], "lastModified": "2026-03-06T20:06:09.357", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:openlit:openlit_software_development_kit:*:*:*:*:*:python:*:*", "vulnerable": true, "matchCriteriaId": "4A765658-CA39-4F2B-94EF-64D0345C0F1F", "versionEndExcluding": "1.37.1", "versionStartIncluding": "1.36.2"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}