CVE-2026-29790

dbt-common is the shared common utilities for dbt-core and adapter implementations use. Prior to versions 1.34.2 and 1.37.3, a path traversal vulnerability exists in dbt-common's safe_extract() function used when extracting tarball archives. The function uses os.path.commonprefix() to validate that extracted files remain within the intended destination directory. However, commonprefix() compares paths character-by-character rather than by path components, allowing a malicious tarball to write files to sibling directories with matching name prefixes. This issue has been patched in versions 1.34.2 and 1.37.3.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/dbt-labs/dbt-common/commit/e547954a48bac9394ef6eb98432e429dce9a7709	Patch
https://github.com/dbt-labs/dbt-common/security/advisories/GHSA-w75w-9qv4-j5xj	Mitigation Vendor Advisory
https://github.com/pypa/pip/pull/13777	Issue Tracking

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:getdbt:dbt-common::::::::
	cpe:2.3:a:getdbt:dbt-common::::::::

History

No history.

Information

Published : 2026-03-06 21:16

Updated : 2026-03-13 18:31

NVD link : CVE-2026-29790

Mitre link : CVE-2026-29790

CVE.ORG link : CVE-2026-29790

JSON object : View

Products Affected

getdbt

dbt-common

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2026-29790", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 2.0, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "LOW", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-06T21:16:15.630", "references": [{"url": "https://github.com/dbt-labs/dbt-common/commit/e547954a48bac9394ef6eb98432e429dce9a7709", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/dbt-labs/dbt-common/security/advisories/GHSA-w75w-9qv4-j5xj", "tags": ["Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/pypa/pip/pull/13777", "tags": ["Issue Tracking"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "dbt-common is the shared common utilities for dbt-core and adapter implementations use. Prior to versions 1.34.2 and 1.37.3, a path traversal vulnerability exists in dbt-common's safe_extract() function used when extracting tarball archives. The function uses os.path.commonprefix() to validate that extracted files remain within the intended destination directory. However, commonprefix() compares paths character-by-character rather than by path components, allowing a malicious tarball to write files to sibling directories with matching name prefixes. This issue has been patched in versions 1.34.2 and 1.37.3."}, {"lang": "es", "value": "dbt-common son las utilidades comunes compartidas que utilizan las implementaciones de dbt-core y adaptadores. Antes de las versiones 1.34.2 y 1.37.3, una vulnerabilidad de salto de ruta existe en la funci\u00f3n safe_extract() de dbt-common utilizada al extraer archivos tarball. La funci\u00f3n usa os.path.commonprefix() para validar que los archivos extra\u00eddos permanezcan dentro del directorio de destino previsto. Sin embargo, commonprefix() compara rutas car\u00e1cter por car\u00e1cter en lugar de por componentes de ruta, permitiendo que un tarball malicioso escriba archivos en directorios hermanos con prefijos de nombre coincidentes. Este problema ha sido parcheado en las versiones 1.34.2 y 1.37.3."}], "lastModified": "2026-03-13T18:31:00.637", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:getdbt:dbt-common:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "91D5F6A6-AA8F-4F03-B786-EF7209FC3AA5", "versionEndExcluding": "1.34.2"}, {"criteria": "cpe:2.3:a:getdbt:dbt-common:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "552E0425-7675-4ACC-8F4C-AC56646A119D", "versionEndExcluding": "1.37.3", "versionStartIncluding": "1.35.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}