The vulnerability is caused by the misuse of the GitHub Actions "pull_request_target" event in several workflows prior to version 1.37.1. When a pull request is opened from a forked repository, the workflow runs with the security context of the base repository, which includes a write‑privileged GITHUB_TOKEN and access to many sensitive secrets such as API keys, database tokens, and a Google Cloud service account key. The attacker can supply arbitrary code in the forked pull request, causing that code to be executed under the privileged context of the base repository. This results in remote code execution and secret exposure, enabling the attacker to modify repository contents, deploy malicious code, or exfiltrate confidential credentials.

Vendors affected include OpenLIT, specifically the OpenLIT Software Development Kit. All releases prior to version 1.37.1 are vulnerable because their GitHub Actions workflows incorrectly use the pull_request_target event.

The CVSS score of 10 indicates the highest possible severity, while an EPSS score of less than 1% suggests a very low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog, but because the attacker only needs to fork the repository and open a pull request—tasks that require no special credentials—the practical attack vector is wide open to anyone with access to GitHub. Once exploited, an attacker can execute arbitrary code, modify production code, and retrieve all secrets exposed to the workflow. Given the critical impact and the ease of the attack path, it is recommended that affected users apply the vendor fix as soon as possible.