CVE-2026-39382

Name of the Vulnerable Software and Affected Versions dbt (affected versions not specified)

Description dbt allows data analysts and engineers to transform data using software engineering practices. A command injection issue exists in the workflow located at dbt-labs/actions/blob/main/.github/workflows/open-issue-in-repo.yml. The peter-evans/find-comment action's output, specifically steps.issue comment.outputs.comment-body, is directly interpolated into a bash if statement without proper escaping. This allows a malicious comment body to inject arbitrary shell commands.

Recommendations Update to a version after commit bbed8d28354e9c644c5a7df13946a3a0451f9ab9.