CVE-2026-27941
📋 TL;DR
This vulnerability in OpenLIT's GitHub Actions workflows allows attackers to execute arbitrary code with repository write privileges and access sensitive secrets when submitting malicious pull requests. It affects all OpenLIT users who have forked repositories or accept external contributions. The vulnerability stems from improper use of the pull_request_target event which runs untrusted code with elevated permissions.
💻 Affected Systems
- OpenLIT
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the OpenLIT repository including theft of all sensitive secrets (API keys, database tokens, Google Cloud service account), unauthorized code commits, and potential supply chain attacks against downstream users.
Likely Case
Exfiltration of sensitive credentials and secrets stored in the repository, leading to unauthorized access to integrated services and potential data breaches.
If Mitigated
Limited impact if proper branch protection rules and code review processes are enforced, though secrets exposure risk remains.
🎯 Exploit Status
Exploitation requires creating a malicious pull request to the OpenLIT repository. The vulnerability is well-documented in GitHub security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.37.1
Vendor Advisory: https://github.com/openlit/openlit/security/advisories/GHSA-9jgv-x8cq-296q
Restart Required: No
Instructions:
1. Update OpenLIT to version 1.37.1 or later. 2. Review and update GitHub Actions workflows to avoid pull_request_target with untrusted code. 3. Rotate all exposed secrets (API keys, tokens, service accounts).
🔧 Temporary Workarounds
Disable vulnerable workflows
allTemporarily disable GitHub Actions workflows using pull_request_target event
Implement branch protection
allRequire pull request reviews and status checks before merging
🧯 If You Can't Patch
- Disable all GitHub Actions workflows using pull_request_target event
- Rotate all repository secrets immediately and implement strict access controls
🔍 How to Verify
Check if Vulnerable:
Check GitHub Actions workflows in .github/workflows/ for pull_request_target usage with checkout of untrusted codeCheck Version:
Check package.json or similar version file for OpenLIT versionVerify Fix Applied:
Verify workflows no longer use pull_request_target with untrusted code execution and confirm version is 1.37.1+📡 Detection & Monitoring
Log Indicators:
- Unauthorized GitHub Actions workflow runs
- Unexpected secret usage in logs
- Pull requests from unknown contributors triggering workflows
Network Indicators:
- Unexpected API calls from GitHub Actions to external services
- Unusual data exfiltration patterns
SIEM Query:
source="github" AND (event="pull_request_target" OR workflow_run) AND status="completed" AND actor NOT IN ["trusted_users"]