Description

dbt-common is the shared common utilities for dbt-core and adapter implementations use. Prior to versions 1.34.2 and 1.37.3, a path traversal vulnerability exists in dbt-common's safe_extract() function used when extracting tarball archives. The function uses os.path.commonprefix() to validate that extracted files remain within the intended destination directory. However, commonprefix() compares paths character-by-character rather than by path components, allowing a malicious tarball to write files to sibling directories with matching name prefixes. This issue has been patched in versions 1.34.2 and 1.37.3.

INFO

Published Date :

2026-03-06T20:37:42.354Z

Last Modified :

2026-03-09T20:54:30.453Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-29790 vulnerability.

Vendors Products
Dbt-labs
  • Dbt-common
Getdbt
  • Dbt-common
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-29790.

URL Resource
https://github.com/dbt-labs/dbt-common/commit/e547954a48bac9394ef6eb98432e429dce9a7709 cve-icon cve-icon
https://github.com/dbt-labs/dbt-common/security/advisories/GHSA-w75w-9qv4-j5xj cve-icon cve-icon
https://github.com/pypa/pip/pull/13777 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact