CVE-2026-29790

Name of the Vulnerable Software and Affected Versions dbt-common versions prior to 1.34.2 dbt-common versions prior to 1.37.3

Description A path traversal issue exists in the safe extract() function of dbt-common when extracting tarball archives. The function uses os.path.commonprefix() to validate file paths, but this function compares paths character-by-character instead of by path components. This allows a malicious tarball to write files to sibling directories with matching name prefixes. For example, when extracting to /tmp/packages, a crafted tarball could write files to /tmp/packagesevil/. The vulnerability affects users who install dbt packages from untrusted sources or process tarball archives through dbt-common's extraction utilities. The fix replaces os.path.commonprefix() with os.path.commonpath(), which correctly compares paths by their components.

Recommendations Upgrade to dbt-common version 1.34.2 or later. Upgrade to dbt-common version 1.37.3 or later. Only install dbt packages from trusted sources. Avoid installing packages from untrusted URLs or unverified third parties. Review package contents before installation when sourcing from external locations.