Path Traversal Vulnerability in dbt-common Utilities from dbt-labs
CVE-2026-29790

2LOW

Key Information:

Vendor

Dbt-labs

Status
Dbt-common
Vendor
CVE Published:
6 March 2026

What is CVE-2026-29790?

A path traversal vulnerability exists in the safe_extract() function of dbt-common, a shared utility for dbt-core and its adapter implementations. This flaw enables a malicious tarball to potentially extract files outside of the intended destination directory, as the function incorrectly uses os.path.commonprefix() for validation. By comparing paths character-by-character rather than by path components, an attacker could exploit this vulnerability to write files to sibling directories with matching name prefixes. The issue has been resolved in versions 1.34.2 and 1.37.3.

Affected Version(s)

dbt-common < 1.37.3 < 1.37.3

dbt-common < 1.34.2 < 1.34.2

References

https://github.com/dbt-labs/dbt-common/security/advisorie...
x_refsource_CONFIRM
https://github.com/pypa/pip/pull/13777
x_refsource_MISC
https://github.com/dbt-labs/dbt-common/commit/e547954a48b...
x_refsource_MISC

CVSS V4

Score:
2
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.