Plattform
python
Komponente
dbt-core
Behoben in
8.0.1
CVE-2026-39382 represents a Command Injection vulnerability discovered within the dbt-core project, a tool used by data analysts and engineers for data transformation. This flaw arises from the insecure handling of attacker-controlled input within a bash script, allowing for the potential execution of arbitrary commands. The vulnerability affects versions of dbt-core up to and including bbed8d28354e9c644c5a7df13946a3a0451f9ab9, and a patch addressing this issue has been released.
The vulnerability lies within the open-issue-in-repo.yml workflow, specifically in how the comment-body output from the peter-evans/find-comment action is handled. This output, which is attacker-controlled, is directly interpolated into a bash if statement without proper escaping. Consequently, a malicious comment containing shell commands can be injected and executed on the system running the workflow. Successful exploitation could lead to remote code execution, allowing an attacker to gain control of the CI/CD environment and potentially access sensitive data or compromise downstream systems. The blast radius extends to any data processed by dbt-core and any systems accessible from the compromised CI/CD pipeline.
This vulnerability was publicly disclosed on 2026-04-07. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's nature makes it likely that a PoC will emerge. The EPSS score is currently pending evaluation, but the potential for remote code execution suggests a medium to high probability of exploitation. It is not currently listed on the CISA KEV catalog.
Exploit-Status
EPSS
0.06% (19% Perzentil)
CISA SSVC
The primary mitigation is to upgrade dbt-core to version bbed8d28354e9c644c5a7df13946a3a0451f9ab9 or later. This version includes the necessary escaping to prevent command injection. As an interim measure, consider restricting the permissions of the GitHub Actions workflow to minimize the potential impact of a successful exploit. Review and audit the open-issue-in-repo.yml workflow for any other potential vulnerabilities. After upgrading, verify the fix by attempting to inject a simple command (e.g., echo 'test') in a comment and confirming that it is not executed.
Actualice dbt-core a la versión corregida (bbed8d28354e9c644c5a7df13946a3a0451f9ab9) o superior para mitigar la vulnerabilidad de inyección de comandos. Asegúrese de revisar las notas de la versión para cualquier cambio importante antes de actualizar. Esta actualización aborda la falta de saneamiento de la salida `comment-body` en el flujo de trabajo reutilizable, previniendo la ejecución de comandos arbitrarios.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
dbt-core is a data transformation tool that enables data analysts and engineers to transform their data using practices similar to those used by software engineers.
If you are using the .github/workflows/open-issue-in-repo.yml workflow from dbt-labs or a similar workflow with a command injection vulnerability, you may be vulnerable to this exploitation.
While you cannot update, consider reviewing the workflow and adding validation or escaping to the comment body input.
Review GitHub audit logs for any unusual activity in the GitHub Actions workflow.
Consult the commit bbed8d28354e9c644c5a7df13946a3a0451f9ab9 in the dbt-labs/actions repository for more details on the fix.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.