CVE-2026-29790
MEDIUM WAF: High
CVSS 5.3
Published: 2026-03-06
CWE-22
dbt-common is the shared common utilities for dbt-core and adapter implementations use. Prior to versions 1.34.2 and 1.37.3, a path traversal vulnerability exists in dbt-common's safe_extract() function used when extracting tarball archives. The function uses os.path.commonprefix() to validate that extracted files remain within the intended destination directory. However, commonprefix() compares paths character-by-character rather than by path components, allowing a malicious tarball to write files to sibling directories with matching name prefixes. This issue has been patched in versions 1.34.2 and 1.37.3.
WAF Coverage Analysis
Path Traversal
High WAF Coverage
OWASP: A01:2021 Broken Access Control
930xxx - Local File Inclusion
Affected Software
| Vendor | Product | Version |
|---|---|---|
| getdbt | dbt-common | up to 1.34.2 |
| getdbt | dbt-common | 1.35.0 - 1.37.3 |
References
- github.com (Patch)
- github.com (Mitigation, Vendor Advisory)
- github.com (Issue Tracking)