CVE-2026-27941

CriticalPublic PoC

Published: 26 February 2026

Published

26 February 2026

Modified

06 March 2026

KEV Added

—

Patch

—

CVSS Score 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0007 21.5th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-27941 is a critical-severity Inclusion of Functionality from Untrusted Control Sphere (CWE-829) vulnerability in Openlit Openlit Software Development Kit. Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Software Dependencies and Development Tools (T1195.001); ranked at the 21.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Other AI Platforms.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and CM-5 (Access Restrictions for Change).

Threat & Defense at a Glance

What attackers do: exploitation maps to Compromise Software Dependencies and Development Tools (T1195.001) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

CM-6 Configuration Settings good match

prevent

Establishes and enforces secure configuration settings for GitHub Actions workflows to prevent use of pull_request_target event with untrusted code checkout in privileged contexts.

AC-6 Least Privilege good match

prevent

Enforces least privilege on GITHUB_TOKEN permissions and limits exposure of sensitive secrets in workflows, directly mitigating privilege escalation from untrusted PR code execution.

CM-5 Access Restrictions for Change good match

prevent

Restricts access to modify workflow configuration files, preventing introduction or persistence of vulnerable pull_request_target configurations in the repository.

MITRE ATT&CK Enterprise TechniquesAI

T1195.001 Compromise Software Dependencies and Development Tools Initial Access

Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise.

attack.mitre.org →

T1195.002 Compromise Software Supply Chain Initial Access

Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise.

attack.mitre.org →

T1677 Poisoned Pipeline Execution Execution

Adversaries may manipulate continuous integration / continuous development (CI/CD) processes by injecting malicious code into the build process.

attack.mitre.org →

Why these techniques?

Vulnerability enables execution of attacker-controlled code from forks inside privileged GitHub Actions workflows (pull_request_target), directly mapping to poisoned pipeline execution (T1677) and compromise of development tools / software supply chain (T1195.001/002).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

OpenLIT is an open source platform for AI engineering. Prior to version 1.37.1, several GitHub Actions workflows in OpenLIT's GitHub repository use the `pull_request_target` event while checking out and executing untrusted code from forked pull requests. These workflows run with…

the security context of the base repository, including a write-privileged `GITHUB_TOKEN` and numerous sensitive secrets (API keys, database/vector store tokens, and a Google Cloud service account key). Version 1.37.1 contains a fix.

Deeper analysisAI

CVE-2026-27941 is a high-severity vulnerability (CVSS 9.9, CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) affecting GitHub Actions workflows in the OpenLIT open-source platform for AI engineering. Prior to version 1.37.1, several workflows in the OpenLIT GitHub repository improperly used the `pull_request_target` event trigger. This allowed the workflows to check out and execute untrusted code from pull requests originating from forked repositories, while running in the elevated security context of the base repository. The context included a write-privileged `GITHUB_TOKEN` and exposure to sensitive secrets such as API keys, database and vector store tokens, and a Google Cloud service account key. The issue stems from CWE-829 (Inclusion of Functionality from Untrusted Control Sphere).

An attacker with low privileges (PR:L), such as a user able to fork the repository and submit a pull request, can exploit this vulnerability remotely over the network with no user interaction required. By crafting a malicious pull request containing arbitrary code in the workflow, the attacker triggers execution in the base repository's privileged context. This grants full read/write access to the repository via the `GITHUB_TOKEN`, as well as exfiltration or misuse of all exposed secrets, potentially leading to compromise of linked services like databases, vector stores, and Google Cloud resources. The changed scope (S:C) amplifies impact across confidentiality, integrity, and availability.

The vulnerability was addressed in OpenLIT version 1.37.1, which contains a fix detailed in commit 4a62039a1659d6cbb8913172693f587b5fc2546c. Security practitioners should upgrade to this version or later and review workflows for similar misuse of `pull_request_target`. Additional guidance is available in the GitHub Security Advisory at GHSA-9jgv-x8cq-296q.