CVE-2026-29790 LOW

CVE-2026-29790: dbt-common: commonprefix() doesn't protect against path traversal

Vendor Dbt-Labs
Product dbt-common
Weakness CWE-22 · Path traversal
Published March 6, 2026
Last update March 9, 2026

CVSS base score

2.0/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

dbt-common is the shared common utilities for dbt-core and adapter implementations use. Prior to versions 1.34.2 and 1.37.3, a path traversal vulnerability exists in dbt-common's safe_extract() function used when extracting tarball archives. The function uses os.path.commonprefix() to validate that extracted files remain within the intended destination directory. However, commonprefix() compares paths character-by-character rather than by path components, allowing a malicious tarball to write files to sibling directories with matching name prefixes. This issue has been patched in versions 1.34.2 and 1.37.3.

Key dates

02Disclosure timeline

March 6, 2026 CVE published
March 9, 2026 Record updated