CVE-2026-29790

dbt-common is the shared common utilities for dbt-core and adapter implementations use. Prior to versions 1.34.2 and 1.37.3, a path traversal vulnerability exists in dbt-common's safe_extract() function used when extracting tarball archives. The function uses os.path.commonprefix() to validate that extracted files remain within the intended destination directory. However, commonprefix() compares paths character-by-character rather than by path components, allowing a malicious tarball to write files to sibling directories with matching name prefixes. This issue has been patched in versions 1.34.2 and 1.37.3.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/dbt-labs/dbt-common/commit/e547954a48bac9394ef6eb98432e429dce9a7709	Patch
https://github.com/dbt-labs/dbt-common/security/advisories/GHSA-w75w-9qv4-j5xj	Mitigation Vendor Advisory
https://github.com/pypa/pip/pull/13777	Issue Tracking

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:getdbt:dbt-common::::::::
	cpe:2.3:a:getdbt:dbt-common::::::::

History

13 Mar 2026, 18:31

Type	Values Removed	Values Added
References	~~() https://github.com/dbt-labs/dbt-common/commit/e547954a48bac9394ef6eb98432e429dce9a7709 -~~	() https://github.com/dbt-labs/dbt-common/commit/e547954a48bac9394ef6eb98432e429dce9a7709 - Patch
References	~~() https://github.com/dbt-labs/dbt-common/security/advisories/GHSA-w75w-9qv4-j5xj -~~	() https://github.com/dbt-labs/dbt-common/security/advisories/GHSA-w75w-9qv4-j5xj - Mitigation, Vendor Advisory
References	~~() https://github.com/pypa/pip/pull/13777 -~~	() https://github.com/pypa/pip/pull/13777 - Issue Tracking
First Time		Getdbt Getdbt dbt-common
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.3
CPE		cpe:2.3:a:getdbt:dbt-common::::::::
Summary		(es) dbt-common son las utilidades comunes compartidas que utilizan las implementaciones de dbt-core y adaptadores. Antes de las versiones 1.34.2 y 1.37.3, una vulnerabilidad de salto de ruta existe en la función safe_extract() de dbt-common utilizada al extraer archivos tarball. La función usa os.path.commonprefix() para validar que los archivos extraídos permanezcan dentro del directorio de destino previsto. Sin embargo, commonprefix() compara rutas carácter por carácter en lugar de por componentes de ruta, permitiendo que un tarball malicioso escriba archivos en directorios hermanos con prefijos de nombre coincidentes. Este problema ha sido parcheado en las versiones 1.34.2 y 1.37.3.

06 Mar 2026, 21:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-06 21:16

Updated : 2026-03-13 18:31

NVD link : CVE-2026-29790

Mitre link : CVE-2026-29790

CVE.ORG link : CVE-2026-29790

JSON object : View

Products Affected

getdbt

dbt-common

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

5.3 /10