{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-29790", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-04T16:26:02.900Z", "datePublished": "2026-03-06T20:37:42.354Z", "dateUpdated": "2026-03-09T20:54:30.453Z"}, "containers": {"cna": {"title": "dbt-common: commonprefix() doesn't protect against path traversal", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 2, "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/dbt-labs/dbt-common/security/advisories/GHSA-w75w-9qv4-j5xj", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/dbt-labs/dbt-common/security/advisories/GHSA-w75w-9qv4-j5xj"}, {"name": "https://github.com/pypa/pip/pull/13777", "tags": ["x_refsource_MISC"], "url": "https://github.com/pypa/pip/pull/13777"}, {"name": "https://github.com/dbt-labs/dbt-common/commit/e547954a48bac9394ef6eb98432e429dce9a7709", "tags": ["x_refsource_MISC"], "url": "https://github.com/dbt-labs/dbt-common/commit/e547954a48bac9394ef6eb98432e429dce9a7709"}], "affected": [{"vendor": "dbt-labs", "product": "dbt-common", "versions": [{"version": "< 1.37.3", "status": "affected"}, {"version": "< 1.34.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T20:37:42.354Z"}, "descriptions": [{"lang": "en", "value": "dbt-common is the shared common utilities for dbt-core and adapter implementations use. Prior to versions 1.34.2 and 1.37.3, a path traversal vulnerability exists in dbt-common's safe_extract() function used when extracting tarball archives. The function uses os.path.commonprefix() to validate that extracted files remain within the intended destination directory. However, commonprefix() compares paths character-by-character rather than by path components, allowing a malicious tarball to write files to sibling directories with matching name prefixes. This issue has been patched in versions 1.34.2 and 1.37.3."}], "source": {"advisory": "GHSA-w75w-9qv4-j5xj", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-29790", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-09T20:50:37.998764Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T20:54:30.453Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-29790", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-09T20:50:37.998764Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T20:51:44.447Z"}}], "cna": {"title": "dbt-common: commonprefix() doesn't protect against path traversal", "source": {"advisory": "GHSA-w75w-9qv4-j5xj", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 2, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "dbt-labs", "product": "dbt-common", "versions": [{"status": "affected", "version": "< 1.37.3"}, {"status": "affected", "version": "< 1.34.2"}]}], "references": [{"url": "https://github.com/dbt-labs/dbt-common/security/advisories/GHSA-w75w-9qv4-j5xj", "name": "https://github.com/dbt-labs/dbt-common/security/advisories/GHSA-w75w-9qv4-j5xj", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/pypa/pip/pull/13777", "name": "https://github.com/pypa/pip/pull/13777", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/dbt-labs/dbt-common/commit/e547954a48bac9394ef6eb98432e429dce9a7709", "name": "https://github.com/dbt-labs/dbt-common/commit/e547954a48bac9394ef6eb98432e429dce9a7709", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "dbt-common is the shared common utilities for dbt-core and adapter implementations use. Prior to versions 1.34.2 and 1.37.3, a path traversal vulnerability exists in dbt-common's safe_extract() function used when extracting tarball archives. The function uses os.path.commonprefix() to validate that extracted files remain within the intended destination directory. However, commonprefix() compares paths character-by-character rather than by path components, allowing a malicious tarball to write files to sibling directories with matching name prefixes. This issue has been patched in versions 1.34.2 and 1.37.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T20:37:42.354Z"}}}, "cveMetadata": {"cveId": "CVE-2026-29790", "state": "PUBLISHED", "dateUpdated": "2026-03-09T20:54:30.453Z", "dateReserved": "2026-03-04T16:26:02.900Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-06T20:37:42.354Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:getdbt:dbt-common:*:*:*:*:*:*:*:*", "matchCriteriaId": "91D5F6A6-AA8F-4F03-B786-EF7209FC3AA5", "versionEndExcluding": "1.34.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:getdbt:dbt-common:*:*:*:*:*:*:*:*", "matchCriteriaId": "552E0425-7675-4ACC-8F4C-AC56646A119D", "versionEndExcluding": "1.37.3", "versionStartIncluding": "1.35.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "dbt-common is the shared common utilities for dbt-core and adapter implementations use. Prior to versions 1.34.2 and 1.37.3, a path traversal vulnerability exists in dbt-common's safe_extract() function used when extracting tarball archives. The function uses os.path.commonprefix() to validate that extracted files remain within the intended destination directory. However, commonprefix() compares paths character-by-character rather than by path components, allowing a malicious tarball to write files to sibling directories with matching name prefixes. This issue has been patched in versions 1.34.2 and 1.37.3."}, {"lang": "es", "value": "dbt-common son las utilidades comunes compartidas que utilizan las implementaciones de dbt-core y adaptadores. Antes de las versiones 1.34.2 y 1.37.3, una vulnerabilidad de salto de ruta existe en la funci\u00f3n safe_extract() de dbt-common utilizada al extraer archivos tarball. La funci\u00f3n usa os.path.commonprefix() para validar que los archivos extra\u00eddos permanezcan dentro del directorio de destino previsto. Sin embargo, commonprefix() compara rutas car\u00e1cter por car\u00e1cter en lugar de por componentes de ruta, permitiendo que un tarball malicioso escriba archivos en directorios hermanos con prefijos de nombre coincidentes. Este problema ha sido parcheado en las versiones 1.34.2 y 1.37.3."}], "id": "CVE-2026-29790", "lastModified": "2026-03-13T18:31:00.637", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.0, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-06T21:16:15.630", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/dbt-labs/dbt-common/commit/e547954a48bac9394ef6eb98432e429dce9a7709"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/dbt-labs/dbt-common/security/advisories/GHSA-w75w-9qv4-j5xj"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/pypa/pip/pull/13777"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.37.3)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.34.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "dbt-common", "source": "cna", "vendor": "dbt-labs"}, "product": "dbt-common", "vendor": "dbt-labs"}], "analysis": {"en": {"generated_at": "2026-04-16T11:12:35.962524+00:00", "value": {"mitigation_remediation": ["Upgrade dbt-common to version 1.34.2 or later (or 1.37.3 for the 1.3.x line) to apply the fixed safe_extract implementation.", "Until a patch can be applied, avoid extracting untrusted tarballs with dbt-common by limiting usage to trusted sources and performing manual path checks before extraction.", "If you maintain custom extraction logic that relies on safe_extract, replace the commonprefix-based validation with a secure component\u2011level path check, such as using os.path.realpath and confirming the target resides inside the intended directory."], "summary": {"action": "Patch", "impact": "Arbitrary file write outside the intended extraction directory via path traversal"}, "threat_synthesis": {"affected_systems": "The vulnerability affects dbt-labs' dbt-common library. Versions prior to 1.34.2 for the 1.x.x series and prior to 1.37.3 for the 1.3.x series are impacted. All affected builds that invoke safe_extract during tarball extraction are at risk, including those used by dbt\u2011core and adapter implementations that rely on the shared utilities.", "description_and_impact": "dbt-common's safe_extract function, used to unpack tarball archives, validates file extraction paths using os.path.commonprefix(). This function compares paths at the character level rather than component level, allowing a crafted tarball to place extracted files outside the intended directory but within a sibling directory sharing a common name prefix. The flaw permits an attacker to write arbitrary files to unauthorized locations, potentially overwriting configuration or executable files and enabling privilege escalation or other system tampering. The weakness is identified as CWE\u201122, a directory traversal vulnerability.", "risk_and_exploitability": "The CVSS score of 2 indicates low severity, and the EPSS probability of less than 1\u202f% suggests limited exploitation likelihood. Because the flaw requires the attacker to supply a malicious tarball and the vulnerable extraction routine to be invoked, the attack vector is local or remote via supply chain depending on how the tarball is provided. The vulnerability is not listed in CISA\u2019s KEV catalog. While the risk level is currently low, organizations deploying dbt-common should update promptly to mitigate the possibility of file system compromise."}}}}, "created": "2026-03-09T10:06:59.209781+00:00", "updated": "2026-04-16T11:15:27.691337+00:00", "vendors": ["dbt-labs", "dbt-labs$PRODUCT$dbt-common"]}