OpenLIT patches critical GitHub Actions pull_request_target secret exposure
TL;DR — OpenLIT's GitHub Actions workflows used pull_request_target with untrusted fork code, exposing repository secrets and privileged tokens to external contributors.
What happened
OpenLIT is an open-source observability platform for monitoring LLM applications and GPU infrastructure. CVE-2026-27941 describes a critical vulnerability in several OpenLIT GitHub Actions workflows that used pull_request_target while checking out and executing untrusted code from forked pull requests. This caused workflows to run in the base repository's security context, exposing a write-privileged GITHUB_TOKEN and sensitive secrets including API keys, database tokens, and a Google Cloud service account key.
The pull_request_target + checkout-of-PR-code antipattern is one of the most common CI/CD security mistakes in open source — this is the same class of issue that led to the OpenSSF Siren advisory on hackerbot-claw automated exploitation.
Who is impacted
- Repositories using OpenLIT versions
< 1.37.1. - Environments where the affected workflows run and can be triggered via forked pull requests.
What to do now
- Follow vendor remediation guidance and apply the latest patched release available at the time of writing.
- Review all GitHub Actions workflows for unsafe
pull_request_targetusage combined with checkout/execution of PR code. - If you suspect exposure, rotate GitHub Actions secrets and any credentials referenced by workflows.
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.