A critical security flaw in OpenLIT's CI/CD pipeline allows external attackers to execute malicious code and exfiltrate sensitive API keys and Google Cloud service credentials.

The vulnerability stems from the improper use of the pull_request_target event in GitHub Actions, which executes untrusted code from forked repositories within the security context of the base repository. This provides an unauthenticated attacker with access to a write-privileged GITHUB_TOKEN and various sensitive secrets.

Exploitation of this vulnerability could lead to the total compromise of the OpenLIT repository and linked cloud environments. The exposure of Google Cloud service account keys and vector store tokens allows attackers to manipulate or steal proprietary AI engineering data and infrastructure. The CVSS score of 9.9 reflects the catastrophic potential for unauthorized resource access and data exfiltration.

Immediate Action: Update OpenLIT to version 1.37.1 immediately and audit all GitHub Actions workflows for the insecure use of the pull_request_target trigger.

Proactive Monitoring: Monitor GitHub Action logs for suspicious workflow runs initiated from forked repositories and review Google Cloud audit logs for unauthorized service account activity.

Compensating Controls: Restrict the permissions of the GITHUB_TOKEN to read-only by default and use OpenID Connect (OIDC) for cloud authentication instead of long-lived service account keys.

Public Exploit Available: false

This vulnerability poses a direct threat to the integrity of the OpenLIT project and its users' cloud environments. It is imperative to apply the update immediately and rotate all secrets, including Google Cloud keys and database tokens, that were stored as GitHub Actions secrets.