Nilsreichardt

**Name of the Vulnerable Software and Affected Versions** OpenLIT versions prior to 1.37.1 **Description** OpenLIT, an open source AI engineering platform, has an issue in GitHub Actions workflows prior to version 1.37.1. These workflows use the `pull request target` event and execute untrusted code from forked pull requests with the security context of the base repository. This includes a write-privileged `GITHUB TOKEN` and access to sensitive secrets such as API keys, database/vector store tokens, and a Google Cloud service account key. The `pull request target` event allows execution of code from potentially malicious pull requests. **Recommendations** Update OpenLIT to version 1.37.1 or later.