{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-29790","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2026-03-04T16:26:02.900Z","datePublished":"2026-03-06T20:37:42.354Z","dateUpdated":"2026-03-09T20:54:30.453Z"},"containers":{"cna":{"title":"dbt-common: commonprefix() doesn't protect against path traversal","problemTypes":[{"descriptions":[{"cweId":"CWE-22","lang":"en","description":"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","type":"CWE"}]}],"metrics":[{"cvssV4_0":{"attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"PRESENT","privilegesRequired":"LOW","userInteraction":"ACTIVE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","baseScore":2,"baseSeverity":"LOW","vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N","version":"4.0"}}],"references":[{"name":"https://github.com/dbt-labs/dbt-common/security/advisories/GHSA-w75w-9qv4-j5xj","tags":["x_refsource_CONFIRM"],"url":"https://github.com/dbt-labs/dbt-common/security/advisories/GHSA-w75w-9qv4-j5xj"},{"name":"https://github.com/pypa/pip/pull/13777","tags":["x_refsource_MISC"],"url":"https://github.com/pypa/pip/pull/13777"},{"name":"https://github.com/dbt-labs/dbt-common/commit/e547954a48bac9394ef6eb98432e429dce9a7709","tags":["x_refsource_MISC"],"url":"https://github.com/dbt-labs/dbt-common/commit/e547954a48bac9394ef6eb98432e429dce9a7709"}],"affected":[{"vendor":"dbt-labs","product":"dbt-common","versions":[{"version":"< 1.37.3","status":"affected"},{"version":"< 1.34.2","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2026-03-06T20:37:42.354Z"},"descriptions":[{"lang":"en","value":"dbt-common is the shared common utilities for dbt-core and adapter implementations use. Prior to versions 1.34.2 and 1.37.3, a path traversal vulnerability exists in dbt-common's safe_extract() function used when extracting tarball archives. The function uses os.path.commonprefix() to validate that extracted files remain within the intended destination directory. However, commonprefix() compares paths character-by-character rather than by path components, allowing a malicious tarball to write files to sibling directories with matching name prefixes. This issue has been patched in versions 1.34.2 and 1.37.3."}],"source":{"advisory":"GHSA-w75w-9qv4-j5xj","discovery":"UNKNOWN"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2026-29790","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"version":"2.0.3","timestamp":"2026-03-09T20:50:37.998764Z"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-03-09T20:54:30.453Z"}}]}}