Platform
python
Component
dbt-common
Fixed in
1.37.4
1.34.3
1.34.2
A path traversal vulnerability has been identified in the safe_extract() function within dbt-common versions up to 1.9.0. This flaw allows attackers to potentially write files to unintended locations during the extraction of tarball archives, bypassing intended directory restrictions. The vulnerability stems from an inadequate path validation mechanism, allowing malicious tarballs to exploit this weakness. Affected users should upgrade to version 1.34.2 to resolve this issue.
The core of the vulnerability lies in the os.path.commonprefix() function used by safeextract(). Instead of comparing path components, it compares paths character-by-character. This allows a carefully crafted tarball to include file paths that, while sharing a common prefix with the intended destination directory (e.g., /tmp/packages), ultimately write files to sibling directories. For instance, a malicious tarball could write files to /tmp/pac/maliciousfile.txt despite the intended extraction path being /tmp/packages. This could lead to arbitrary file writes, potentially overwriting critical system files or injecting malicious code, depending on the permissions of the user running the dbt process.
This vulnerability was publicly disclosed on March 5, 2026. Currently, there are no known public proof-of-concept exploits available. The CVSS score is 2.5 (LOW), indicating a relatively low probability of exploitation. It is not listed on the CISA KEV catalog at the time of writing.
Exploit Status
EPSS
0.07% (22% percentile)
CISA SSVC
The primary mitigation is to upgrade dbt-common to version 1.34.2 or later, which contains the fix for this vulnerability. If an immediate upgrade is not feasible due to compatibility concerns or breaking changes, consider restricting the source of tarball archives to trusted locations. Implement strict file permission controls on the extraction directory to limit the potential impact of a successful exploit. Review and audit any custom extraction logic to ensure robust path validation. After upgrading, verify the fix by attempting to extract a known malicious tarball (if available) and confirming that files are not written outside the intended destination directory.
Update the dbt-common library to version 1.34.2 or higher, or to version 1.37.3 or higher, as appropriate, to fix the path traversal vulnerability. This will prevent malicious files from overwriting files outside the intended destination directory during tarball extraction.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-29790 is a Path Traversal vulnerability affecting dbt-common versions up to 1.9.0, allowing attackers to write files outside the intended extraction directory.
You are affected if you are using dbt-common version 1.9.0 or earlier. Check your version with python -c "import dbtcommon; print(dbtcommon.version)".
Upgrade dbt-common to version 1.34.2 or later to resolve the vulnerability. If immediate upgrade is not possible, restrict tarball sources and implement strict file permissions.
As of now, there are no confirmed reports of active exploitation, but it's crucial to apply the fix proactively.
Refer to the dbt project's security advisories for the latest information and updates regarding CVE-2026-29790.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.