Platform
python
Component
dbt-core
Fixed in
8.0.1
CVE-2026-39382 represents a Command Injection vulnerability discovered within the dbt-core project, a tool used by data analysts and engineers for data transformation. This flaw arises from the insecure handling of attacker-controlled input within a bash script, allowing for the potential execution of arbitrary commands. The vulnerability affects versions of dbt-core up to and including bbed8d28354e9c644c5a7df13946a3a0451f9ab9, and a patch addressing this issue has been released.
CVE-2026-39382 in dbt-core arises from how the .github/workflows/open-issue-in-repo.yml workflow handles the output of the peter-evans/find-comment action. Specifically, the retrieved comment body is directly interpolated into a bash if statement without proper validation or sanitization. This allows an attacker to control the script's execution flow, potentially executing arbitrary commands within the GitHub Actions environment. The severity of this issue depends on the context in which dbt is used and the permissions of the user running the workflow. An attacker could, for example, modify the comment to execute commands that steal credentials or compromise the repository’s security.
An attacker could exploit this vulnerability by injecting malicious code into the body of a documentation issue comment. When the GitHub Actions workflow processes this comment, the malicious code will be executed as part of the if statement, allowing the attacker to control the script’s execution flow. The success of the exploitation depends on the repository’s configuration and the permissions of the user running the workflow. The vulnerability resides within the internal dbt-labs workflow, but could affect any repository using this workflow or a similar one with a command injection vulnerability.
Exploit Status
EPSS
0.06% (19% percentile)
CISA SSVC
The fix provided in commit bbed8d28354e9c644c5a7df13946a3a0451f9ab9 addresses this vulnerability by sanitizing the comment body input before its use in the if statement. It is recommended to update to the dbt-core version containing this fix as soon as possible. Additionally, it’s crucial to review and audit other GitHub Actions workflows that utilize the output of external actions, ensuring input is properly validated and escaped to prevent command injection. Implementing a code review policy that includes data input validation is a recommended practice.
Update dbt-core to the patched version (bbed8d28354e9c644c5a7df13946a3a0451f9ab9) or higher to mitigate the command injection vulnerability. Ensure you review the release notes for any breaking changes before updating. This update addresses the lack of sanitization of the `comment-body` output in the reusable workflow, preventing the execution of arbitrary commands.
Vulnerability analysis and critical alerts directly to your inbox.
dbt-core is a data transformation tool that enables data analysts and engineers to transform their data using practices similar to those used by software engineers.
If you are using the .github/workflows/open-issue-in-repo.yml workflow from dbt-labs or a similar workflow with a command injection vulnerability, you may be vulnerable to this exploitation.
While you cannot update, consider reviewing the workflow and adding validation or escaping to the comment body input.
Review GitHub audit logs for any unusual activity in the GitHub Actions workflow.
Consult the commit bbed8d28354e9c644c5a7df13946a3a0451f9ab9 in the dbt-labs/actions repository for more details on the fix.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.