CVE-2026-27941
Privilege Escalation via pull_request_target in OpenLIT Workflows
Publication date: 2026-02-26
Last updated on: 2026-03-06
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openlit | openlit_software_development_kit | From 1.36.2 (inc) to 1.37.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-829 | The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include modifying your GitHub Actions workflows to prevent execution of untrusted code with access to sensitive secrets.
- Replace the `pull_request_target` event with the `pull_request` event in workflows that build, test, lint, or run pull request code.
- Avoid checking out the pull request head commit (`github.event.pull_request.head.sha`) in workflows triggered by `pull_request_target`.
- If `pull_request_target` must be used (e.g., for labeling), ensure no checkout or execution of pull request code occurs in those workflows.
- Restrict `GITHUB_TOKEN` permissions to the least privilege necessary, especially limiting write access.
- Scope environment variables containing secrets to non-pull request events to prevent exposure during pull request workflows.
- Audit all workflows and branches for the vulnerable pattern and apply fixes accordingly.
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-27941 is a critical security vulnerability in the OpenLIT platform's GitHub Actions workflows. The issue arises from the insecure use of the `pull_request_target` event, which runs workflows with the base repository's security context, including access to sensitive secrets and a write-privileged `GITHUB_TOKEN`."}, {'type': 'paragraph', 'content': 'The workflows check out and execute code from forked pull requests, which are attacker-controlled. This means malicious code in a pull request can run with full access to secrets such as API keys, database tokens, and cloud service account keys.'}, {'type': 'paragraph', 'content': 'Specifically, workflows like Pylint, Python Tests, and OpenLIT Docker tests are affected. An attacker can inject malicious code that exfiltrates secrets, runs arbitrary cloud commands, and manipulates the repository using the exposed `GITHUB_TOKEN`.'}, {'type': 'paragraph', 'content': 'The vulnerability is classified as CWE-829 (Inclusion of Functionality from Untrusted Control Sphere) and has a very high severity with a CVSS score of 9.9, reflecting its potential to compromise confidentiality, integrity, and availability.'}] [1]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including the exfiltration of numerous sensitive secrets such as AI API keys, database credentials, and cloud service account keys.
An attacker can execute arbitrary code within the CI/CD pipeline, potentially gaining full control over the repository and associated cloud infrastructure.
Using the exposed `GITHUB_TOKEN`, an attacker can modify repository contents, create tags or releases, and perform supply-chain attacks, severely compromising the software development lifecycle.
Overall, the vulnerability poses a critical risk to the confidentiality, integrity, and availability of your codebase and cloud resources.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by auditing your GitHub Actions workflows for the insecure use of the `pull_request_target` event combined with checking out and executing untrusted code from forked pull requests.'}, {'type': 'list_item', 'content': 'Check if any workflow YAML files trigger on `pull_request_target` events.'}, {'type': 'list_item', 'content': 'Look for usage of `actions/checkout@v5` or similar actions that check out the pull request head commit (`ref: ${{ github.event.pull_request.head.sha }}`) in these workflows.'}, {'type': 'list_item', 'content': 'Inspect workflows for environment variables or secrets being set globally or during pull request runs.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect this pattern include:'}, {'type': 'list_item', 'content': "Use `grep -r 'pull_request_target' .github/workflows/` to find workflows triggered by `pull_request_target`."}, {'type': 'list_item', 'content': "Use `grep -r 'checkout' .github/workflows/` to find checkout steps, then verify if they use `ref: ${{ github.event.pull_request.head.sha }}`."}, {'type': 'list_item', 'content': "Review workflow files for environment variables or secrets usage with commands like `grep -r 'env:' .github/workflows/`."}] [1]