MEDIUMCVE-2026-39382

CVE-2026-39382: dbt-core Command Injection Vulnerability

Q: What is CVE-2026-39382 — Command Injection in dbt-core?

dbt-core is a data transformation tool that enables data analysts and engineers to transform their data using practices similar to those used by software engineers.

Q: Am I affected by CVE-2026-39382 in dbt-core?

If you are using the `.github/workflows/open-issue-in-repo.yml` workflow from dbt-labs or a similar workflow with a command injection vulnerability, you may be vulnerable to this exploitation.

Q: How do I fix CVE-2026-39382 in dbt-core?

While you cannot update, consider reviewing the workflow and adding validation or escaping to the comment body input.

Q: Is CVE-2026-39382 being actively exploited?

Review GitHub audit logs for any unusual activity in the GitHub Actions workflow.

Q: Where can I find the official dbt-core advisory for CVE-2026-39382?

Consult the commit `bbed8d28354e9c644c5a7df13946a3a0451f9ab9` in the dbt-labs/actions repository for more details on the fix.

Platform

python

Component

dbt-core

Fixed in

8.0.1

AI Confidence: highNVDEPSS 0.1%Reviewed: Apr 2026

View on NVD

Save

CVE-2026-39382 represents a Command Injection vulnerability discovered within the dbt-core project, a tool used by data analysts and engineers for data transformation. This flaw arises from the insecure handling of attacker-controlled input within a bash script, allowing for the potential execution of arbitrary commands. The vulnerability affects versions of dbt-core up to and including bbed8d28354e9c644c5a7df13946a3a0451f9ab9, and a patch addressing this issue has been released.

Python

Detect this CVE in your project

Upload your requirements.txt file and we'll tell you instantly if you're affected.

Upload requirements.txtSupported formats: requirements.txt · Pipfile.lock

Impact and Attack Scenarios

CVE-2026-39382 in dbt-core arises from how the .github/workflows/open-issue-in-repo.yml workflow handles the output of the peter-evans/find-comment action. Specifically, the retrieved comment body is directly interpolated into a bash if statement without proper validation or sanitization. This allows an attacker to control the script's execution flow, potentially executing arbitrary commands within the GitHub Actions environment. The severity of this issue depends on the context in which dbt is used and the permissions of the user running the workflow. An attacker could, for example, modify the comment to execute commands that steal credentials or compromise the repository’s security.

Exploitation Context

An attacker could exploit this vulnerability by injecting malicious code into the body of a documentation issue comment. When the GitHub Actions workflow processes this comment, the malicious code will be executed as part of the if statement, allowing the attacker to control the script’s execution flow. The success of the exploitation depends on the repository’s configuration and the permissions of the user running the workflow. The vulnerability resides within the internal dbt-labs workflow, but could affect any repository using this workflow or a similar one with a command injection vulnerability.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Reports1 threat report

EPSS

0.06% (19% percentile)

CISA SSVC

Exploitationnone

Automatableyes

Technical Impacttotal

Affected Software

Componentdbt-core

Vendordbt-labs

Affected rangeFixed in

< bbed8d28354e9c644c5a7df13946a3a0451f9ab9 – < bbed8d28354e9c644c5a7df13946a3a0451f9ab98.0.1

Weakness Classification (CWE)

CWE-78

Timeline

Reserved2026-04-06
Published2026-04-07
Modified2026-04-08
EPSS updated2026-04-15

Mitigation and Workarounds

The fix provided in commit bbed8d28354e9c644c5a7df13946a3a0451f9ab9 addresses this vulnerability by sanitizing the comment body input before its use in the if statement. It is recommended to update to the dbt-core version containing this fix as soon as possible. Additionally, it’s crucial to review and audit other GitHub Actions workflows that utilize the output of external actions, ensuring input is properly validated and escaped to prevent command injection. Implementing a code review policy that includes data input validation is a recommended practice.

How to fix

Update dbt-core to the patched version (bbed8d28354e9c644c5a7df13946a3a0451f9ab9) or higher to mitigate the command injection vulnerability. Ensure you review the release notes for any breaking changes before updating. This update addresses the lack of sanitization of the `comment-body` output in the reusable workflow, preventing the execution of arbitrary commands.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-39382 — Command Injection in dbt-core?

dbt-core is a data transformation tool that enables data analysts and engineers to transform their data using practices similar to those used by software engineers.

Am I affected by CVE-2026-39382 in dbt-core?

If you are using the .github/workflows/open-issue-in-repo.yml workflow from dbt-labs or a similar workflow with a command injection vulnerability, you may be vulnerable to this exploitation.

How do I fix CVE-2026-39382 in dbt-core?

While you cannot update, consider reviewing the workflow and adding validation or escaping to the comment body input.

Is CVE-2026-39382 being actively exploited?

Review GitHub audit logs for any unusual activity in the GitHub Actions workflow.

Where can I find the official dbt-core advisory for CVE-2026-39382?

Consult the commit bbed8d28354e9c644c5a7df13946a3a0451f9ab9 in the dbt-labs/actions repository for more details on the fix.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free Search CVEs