CVE-2026-29790 is a low severity vulnerability with a CVSS score of 0.0. No known exploits currently, and patches are available.
Very low probability of exploitation
EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.
What kind of vulnerability is it? Who is impacted?
A path traversal vulnerability exists in dbt-common's safe_extract() function used when extracting tarball archives. The function uses os.path.commonprefix() to validate that extracted files remain within the intended destination directory. However, commonprefix() compares paths character-by-character rather than by path components, allowing a malicious tarball to write files to sibling directories with matching name prefixes.
For example, when extracting to /tmp/packages, a crafted tarball could write files to /tmp/packagesevil/ by exploiting the character-based prefix matching.
This vulnerability affects users who:
The practical risk is limited because:
This is similar to CVE-2026-1703 in pip, which had a CVSS score of 3.9 (Low).
Has the problem been patched? What versions should users upgrade to?
Fixed in dbt-common version 1.37.3 & 1.34.2, and patched for dbt-core 1.11.7 and 1.10.20 releases.
The fix replaces os.path.commonprefix() with os.path.commonpath(), which correctly compares paths by their components rather than characters.
Is there a way for users to fix or remediate the vulnerability without upgrading?
Please cite this page when referencing data from Strobes VI. Proper attribution helps support our vulnerability intelligence research.
commonpath vs commonprefix: https://docs.python.org/3/library/os.path.html#os.path.commonpath