CVE-2026-27941

Name of the Vulnerable Software and Affected Versions OpenLIT versions prior to 1.37.1

Description OpenLIT, an open source AI engineering platform, has an issue in GitHub Actions workflows prior to version 1.37.1. These workflows use the pull request target event and execute untrusted code from forked pull requests with the security context of the base repository. This includes a write-privileged GITHUB TOKEN and access to sensitive secrets such as API keys, database/vector store tokens, and a Google Cloud service account key. The pull request target event allows execution of code from potentially malicious pull requests.

Recommendations Update OpenLIT to version 1.37.1 or later.