Peter Evans · Peter-Evans/Find-Comment · CVE-2026-39382
Name of the Vulnerable Software and Affected Versions
dbt (affected versions not specified)
Description
dbt allows data analysts and engineers to transform data using software engineering practices. A command injection issue exists in the workflow located at dbt-labs/actions/blob/main/.github/workflows/open-issue-in-repo.yml. The `peter-evans/find-comment` action's output, specifically `steps.issue comment.outputs.comment-body`, is directly interpolated into a bash if statement without proper escaping. This allows a malicious comment body to inject arbitrary shell commands.
Recommendations
Update to a version after commit bbed8d28354e9c644c5a7df13946a3a0451f9ab9.