Executive Summary

CVE-2026-29790 is a path traversal vulnerability in the dbt-common Python package, specifically in its safe_extract() function used for extracting tarball archives.

The vulnerability arises because safe_extract() uses os.path.commonprefix() to validate that extracted files remain within the intended destination directory. However, commonprefix() performs a character-by-character comparison rather than comparing path components, which allows a malicious tarball to write files outside the target directory into sibling directories with similar name prefixes.

For example, extracting to `/tmp/packages` could be exploited to write files into `/tmp/packagesevil/`.

The issue was fixed by replacing os.path.commonprefix() with os.path.commonpath(), which correctly compares paths by their components, preventing path traversal.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact users who install dbt packages from untrusted sources or process tarball archives via dbt-common’s extraction utilities.

A malicious tarball could write files outside the intended extraction directory into sibling directories with matching name prefixes, potentially leading to unauthorized file writes.

However, the practical risk is limited because exploitation requires processing a malicious tarball, and file writes are confined to sibling directories with matching prefixes, not arbitrary paths.

Official packages from trusted sources like dbt Hub are not affected.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability arises when extracting tarball archives using the vulnerable safe_extract() function in dbt-common versions prior to 1.34.2 and 1.37.3. Detection involves identifying if your system uses these vulnerable versions and if untrusted tarball archives have been processed.

Since the vulnerability allows path traversal to sibling directories with matching prefixes during tar extraction, you can check for unexpected files or directories created outside the intended extraction path but with similar name prefixes.

Suggested commands to help detect exploitation attempts or presence of suspicious files include:

• Verify the installed version of dbt-common or dbt-core to check if it is vulnerable: e.g., `pip show dbt-common` or `pip show dbt-core`.
• Search for files created outside the expected extraction directory but with similar prefixes. For example, if extraction target is `/tmp/packages`, look for sibling directories like `/tmp/packagesevil` using: `ls -ld /tmp/packagesevil*`.
• Audit recent file creation timestamps in directories adjacent to extraction targets to identify unexpected writes.
• Review logs or scripts that perform tarball extraction to confirm if safe_extract() or similar vulnerable code was used.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, the primary step is to upgrade dbt-common to version 1.34.2 or later, or dbt-core to versions 1.11.7 or 1.10.20 or later, where the issue has been fixed.

The fix replaces the vulnerable os.path.commonprefix() call with os.path.commonpath(), which correctly validates extraction paths and prevents path traversal.

Additional mitigation steps include:

• Only install packages from trusted sources such as the official dbt Hub or verified git repositories.
• Avoid installing or extracting tarball archives from untrusted URLs or third parties.
• Manually review the contents of tarball archives before extraction to detect any suspicious file paths.

Useful 0 Not Useful 0