Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.9
OpenLIT prior to 1.37.1 allows untrusted code to access sensitive data
CVE-2026-27941
Summary
OpenLIT's GitHub workflows don't properly secure sensitive data, allowing untrusted code to potentially access secrets like API keys and database tokens. This is fixed in version 1.37.1. Users running older versions should update to the latest version as soon as possible.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| openlit | openlit_software_development_kit | > 1.36.2 , <= 1.37.1 | – |
Original title
OpenLIT is an open source platform for AI engineering. Prior to version 1.37.1, several GitHub Actions workflows in OpenLIT's GitHub repository use the `pull_request_target` event while checking ou...
Original description
OpenLIT is an open source platform for AI engineering. Prior to version 1.37.1, several GitHub Actions workflows in OpenLIT's GitHub repository use the `pull_request_target` event while checking out and executing untrusted code from forked pull requests. These workflows run with the security context of the base repository, including a write-privileged `GITHUB_TOKEN` and numerous sensitive secrets (API keys, database/vector store tokens, and a Google Cloud service account key). Version 1.37.1 contains a fix.
nvd CVSS3.1
9.9
Vulnerability type
CWE-829
- https://github.com/openlit/openlit/commit/4a62039a1659d6cbb8913172693f587b5fc254... Patch
- https://github.com/openlit/openlit/security/advisories/GHSA-9jgv-x8cq-296q Exploit Mitigation Vendor Advisory
Published: 26 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026