OpenLIT patches critical GitHub Actions workflow issue that could expose secrets (CVE-2026-27941)

What happened

CVE-2026-27941 was published for OpenLIT, describing a critical vulnerability in several GitHub Actions workflows in the OpenLIT GitHub repository prior to version 1.37.1.

The issue is that these workflows used the pull_request_target event while checking out and executing untrusted code from forked pull requests, causing the workflow to run in the security context of the base repository.

As described in the CVE record, this base-repo context includes a write-privileged GITHUB_TOKEN and other sensitive secrets (including API keys, database/vector store tokens, and a Google Cloud service account key).

Who is impacted

• Repositories using OpenLIT versions < 1.37.1 (affected range listed as < 1.37.1).
• Specifically, environments where the affected GitHub Actions workflows run and can be triggered via forked pull requests under the pull_request_target event model described in the CVE record.

What to do now

• Upgrade to OpenLIT 1.37.1 (the CVE record states 1.37.1 contains a fix).
• Review GitHub Actions workflows for unsafe pull_request_target usage combined with checkout/execution of PR code.
• If you suspect exposure, rotate GitHub Actions secrets and any credentials referenced by workflows (API keys, DB/vector store tokens, and any cloud service account keys).

Additional Information

• GitHub Security Advisory: GHSA-9jgv-x8cq-296q
• Fix reference commit: 4a62039a1659d6cbb8913172693f587b5fc2546c