CVE-2026-29790 — Path Traversal in Dbt-common

CWE-22 — Path Traversal4 documents4 sources

Severity

2.0LOWNVD

EPSS

0.1%

top 75.77%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Dbt-labs Dbt-common Getdbt Dbt-common

Timeline

Latest updateMar 5

PublishedMar 6

Description

dbt-common is the shared common utilities for dbt-core and adapter implementations use. Prior to versions 1.34.2 and 1.37.3, a path traversal vulnerability exists in dbt-common's safe_extract() function used when extracting tarball archives. The function uses os.path.commonprefix() to validate that extracted files remain within the intended destination directory. However, commonprefix() compares paths character-by-character rather than by path components, allowing a malicious tarball to write fi…

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Packages3 packages

▶NVDgetdbt/dbt-common1.35.0 — 1.37.3+1

▶CVEListV5dbt-labs/dbt-common< 1.37.3+1

▶PyPIdbt-labs/dbt-common1.35.0 — 1.37.3+1

Patches

Patch: github.com ↗

🔴Vulnerability Details

OSV

dbt-common's commonprefix() doesn't protect against path traversal↗2026-03-05

▶

GHSA

dbt-common's commonprefix() doesn't protect against path traversal↗2026-03-05

▶

🕵️Threat Intelligence

Wiz

CVE-2026-29790 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶