Home / Vulnerability Intelligence / CVE-2026-27941

CVE-2026-27941 - Vulnerability Analysis

CriticalCVSS: 9.9

Last Updated: February 27, 2026

OpenLIT - Broken Access Control

Published: February 26, 2026Updated: February 27, 2026Remote Exploitable

Overview

OpenLIT prior to 1.37.1 contains a broken access control vulnerability caused by use of `pull_request_target` event in GitHub Actions workflows executing untrusted code with base repository privileges, letting attackers access sensitive secrets, exploit requires untrusted forked pull requests.

Severity & Score

Severity: Critical

CVSS Score: 9.9

EPSS Score: 4.2%(Probability of exploitation in next 30 days)

Impact

Attackers can access sensitive secrets and tokens, potentially leading to full repository compromise and unauthorized actions.

Mitigation

Update to version 1.37.1 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Feb 26, 2026

🔴 CVE-2026-27941 - Critical (9.9) OpenLIT is an open source platform for AI engineering. Prior to version 1.37.1, several GitHub Actions workflows in OpenLIT's GitHub repository use the `pull_request_target` event while checking out and executing untrusted code from forked pull re... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-27941/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-27941
Severity: Critical
CVSS Score: 9.9
Type: broken_access_control
Status: unconfirmed
EPSS: 4.2%
Social Posts: 1

CWE

CWE-829

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS Score

4.2%Probability of exploitation in the next 30 days