{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39382", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-06T22:06:40.515Z", "datePublished": "2026-04-07T19:56:15.251Z", "dateUpdated": "2026-04-08T16:14:59.745Z"}, "containers": {"cna": {"title": "dbt has a Command Injection in Reusable Workflow via Unsanitized comment-body Output", "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/dbt-labs/dbt-core/security/advisories/GHSA-5jxf-vmqr-5g82", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/dbt-labs/dbt-core/security/advisories/GHSA-5jxf-vmqr-5g82"}, {"name": "https://github.com/dbt-labs/actions/commit/bbed8d28354e9c644c5a7df13946a3a0451f9ab9", "tags": ["x_refsource_MISC"], "url": "https://github.com/dbt-labs/actions/commit/bbed8d28354e9c644c5a7df13946a3a0451f9ab9"}], "affected": [{"vendor": "dbt-labs", "product": "dbt-core", "versions": [{"version": "< bbed8d28354e9c644c5a7df13946a3a0451f9ab9", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T19:56:15.251Z"}, "descriptions": [{"lang": "en", "value": "dbt enables data analysts and engineers to transform their data using the same practices that software engineers use to build applications. Inside the reusable workflow dbt-labs/actions/blob/main/.github/workflows/open-issue-in-repo.yml, the prep job uses peter-evans/find-comment to search for an existing comment indicating that a docs issue has already been opened. The output steps.issue_comment.outputs.comment-body is then interpolated directly into a bash if statement. Because comment-body is attacker-controlled text and is inserted into shell syntax without escaping, a malicious comment body can break out of the quoted string and inject arbitrary shell commands. This vulnerability is fixed with commit bbed8d28354e9c644c5a7df13946a3a0451f9ab9."}], "source": {"advisory": "GHSA-5jxf-vmqr-5g82", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T16:12:21.569788Z", "id": "CVE-2026-39382", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T16:14:59.745Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39382", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-08T16:12:21.569788Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T16:12:33.218Z"}}], "cna": {"title": "dbt has a Command Injection in Reusable Workflow via Unsanitized comment-body Output", "source": {"advisory": "GHSA-5jxf-vmqr-5g82", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "dbt-labs", "product": "dbt-core", "versions": [{"status": "affected", "version": "< bbed8d28354e9c644c5a7df13946a3a0451f9ab9"}]}], "references": [{"url": "https://github.com/dbt-labs/dbt-core/security/advisories/GHSA-5jxf-vmqr-5g82", "name": "https://github.com/dbt-labs/dbt-core/security/advisories/GHSA-5jxf-vmqr-5g82", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/dbt-labs/actions/commit/bbed8d28354e9c644c5a7df13946a3a0451f9ab9", "name": "https://github.com/dbt-labs/actions/commit/bbed8d28354e9c644c5a7df13946a3a0451f9ab9", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "dbt enables data analysts and engineers to transform their data using the same practices that software engineers use to build applications. Inside the reusable workflow dbt-labs/actions/blob/main/.github/workflows/open-issue-in-repo.yml, the prep job uses peter-evans/find-comment to search for an existing comment indicating that a docs issue has already been opened. The output steps.issue_comment.outputs.comment-body is then interpolated directly into a bash if statement. Because comment-body is attacker-controlled text and is inserted into shell syntax without escaping, a malicious comment body can break out of the quoted string and inject arbitrary shell commands. This vulnerability is fixed with commit bbed8d28354e9c644c5a7df13946a3a0451f9ab9."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T19:56:15.251Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39382", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:14:59.745Z", "dateReserved": "2026-04-06T22:06:40.515Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-07T19:56:15.251Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "dbt enables data analysts and engineers to transform their data using the same practices that software engineers use to build applications. Inside the reusable workflow dbt-labs/actions/blob/main/.github/workflows/open-issue-in-repo.yml, the prep job uses peter-evans/find-comment to search for an existing comment indicating that a docs issue has already been opened. The output steps.issue_comment.outputs.comment-body is then interpolated directly into a bash if statement. Because comment-body is attacker-controlled text and is inserted into shell syntax without escaping, a malicious comment body can break out of the quoted string and inject arbitrary shell commands. This vulnerability is fixed with commit bbed8d28354e9c644c5a7df13946a3a0451f9ab9."}], "id": "CVE-2026-39382", "lastModified": "2026-04-16T14:57:08.337", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-07T20:16:32.980", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/dbt-labs/actions/commit/bbed8d28354e9c644c5a7df13946a3a0451f9ab9"}, {"source": "security-advisories@github.com", "url": "https://github.com/dbt-labs/dbt-core/security/advisories/GHSA-5jxf-vmqr-5g82"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[0,bbed8d28354e9c644c5a7df13946a3a0451f9ab9)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "dbt-core", "vendor": "dbt-labs"}], "analysis": {"en": {"generated_at": "2026-04-07T22:16:39.217541+00:00", "value": {"mitigation_remediation": ["Replace the open-issue-in-repo.yml workflow file with the fixed version referenced in commit bbed8d28354e9c644c5a7df13946a3a0451f9ab9 or later."], "summary": {"action": "Immediate Patch", "impact": "Command Execution via Workflow Injection"}, "threat_synthesis": {"affected_systems": "The affected product is dbt-labs:dbt-core. No specific version information is listed, so any deployment that includes the open-issue-in-repo.yml workflow and uses the vulnerable comment handling may be impacted.", "description_and_impact": "The vulnerability resides in a reusable workflow file used by dbt-labs. A bash if statement incorporates the output of\u00a0peter-evans/find-comment\u00a0without sanitization, allowing an attacker who can supply a comment body to break out of a quoted string and inject arbitrary shell commands. The result is that malicious commands can be executed within the workflow environment, potentially compromising the CI pipeline and any secrets it has access to.", "risk_and_exploitability": "The CVSS score of 9.3 indicates a high severity, and while EPSS data is not available, the vulnerability is not currently cataloged as a known exploited vulnerability. The likely attack vector is a malicious comment posted to a repository that uses the vulnerable workflow. If an adversary can control the comment body, they can inject shell commands into the workflow\u2019s prepare job, enabling arbitrary code execution in the CI environment."}}}}, "created": "2026-04-08T19:45:59.754832+00:00", "updated": "2026-04-09T08:23:04.898056+00:00", "vendors": ["dbt-labs", "dbt-labs$PRODUCT$dbt-core"]}