CVE-2026-29790: dbt-common's commonprefix() doesn't protect against path traversal
(updated )
What kind of vulnerability is it? Who is impacted?
A path traversal vulnerability exists in dbt-common’s safe_extract() function used when extracting tarball archives. The function uses os.path.commonprefix() to validate that extracted files remain within the intended destination directory. However, commonprefix() compares paths character-by-character rather than by path components, allowing a malicious tarball to write files to sibling directories with matching name prefixes.
For example, when extracting to /tmp/packages, a crafted tarball could write files to /tmp/packagesevil/ by exploiting the character-based prefix matching.
This vulnerability affects users who:
- Install dbt packages from untrusted sources
- Process tarball archives through dbt-common’s extraction utilities
The practical risk is limited because:
- Exploitation requires a malicious tarball to be processed
- File writes are restricted to sibling directories with matching prefixes (not arbitrary paths)
- Packages from trusted sources (dbt Hub) are not affected
This is similar to CVE-2026-1703 in pip, which had a CVSS score of 3.9 (Low).
References
- docs.python.org/3/library/os.path.html
- github.com/advisories/GHSA-6vgw-5pg2-w6jp
- github.com/advisories/GHSA-w75w-9qv4-j5xj
- github.com/dbt-labs/dbt-common
- github.com/dbt-labs/dbt-common/commit/e547954a48bac9394ef6eb98432e429dce9a7709
- github.com/dbt-labs/dbt-common/security/advisories/GHSA-w75w-9qv4-j5xj
- github.com/pypa/pip/pull/13777
- nvd.nist.gov/vuln/detail/CVE-2026-29790
Code Behaviors & Features
Detect and mitigate CVE-2026-29790 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →