CVE-2026-41490

Name of the Vulnerable Software and Affected Versions Dagster Core versions prior to 1.13.1 Dagster libraries versions prior to 0.29.1

Description DuckDB, Snowflake, BigQuery, and DeltaLake I/O managers construct SQL WHERE clauses by interpolating dynamic partition key values into queries without escaping. A user with the Add Dynamic Partitions permission can create a partition key that injects arbitrary SQL, which executes against the target database backend using the I/O manager's credentials. This issue only affects deployments using dynamic partitions; pipelines using static or time-window partitions are not impacted.

Recommendations Update Dagster Core to version 1.13.1. Update Dagster libraries to version 0.29.1.