CVE-2026-29790 Overview
CVE-2026-29790 is a path traversal vulnerability in dbt-common, the shared common utilities library for dbt-core and adapter implementations. The vulnerability exists in the safe_extract() function used when extracting tarball archives. The function uses os.path.commonprefix() to validate that extracted files remain within the intended destination directory. However, commonprefix() compares paths character-by-character rather than by path components, allowing a malicious tarball to write files to sibling directories with matching name prefixes.
Critical Impact
A malicious tarball archive can exploit the flawed path validation to write files outside the intended extraction directory, potentially overwriting configuration files or placing malicious code in unexpected locations.
Affected Products
- dbt-common versions prior to 1.34.2
- dbt-common versions prior to 1.37.3
- dbt-core and adapter implementations using vulnerable dbt-common versions
Discovery Timeline
- 2026-03-06 - CVE CVE-2026-29790 published to NVD
- 2026-03-09 - Last updated in NVD database
Technical Details for CVE-2026-29790
Vulnerability Analysis
This path traversal vulnerability (CWE-22) stems from improper path validation during tarball extraction. The safe_extract() function was designed to prevent directory traversal attacks by ensuring extracted files remain within the designated destination directory. However, the implementation used os.path.commonprefix() for this validation, which is fundamentally unsuitable for path security checks.
The os.path.commonprefix() function operates on strings at the character level, not on path components. This means it will incorrectly identify /home/user_data and /home/user as having a common prefix of /home/user, even though /home/user_data is actually a sibling directory rather than a subdirectory of /home/user. An attacker can craft a malicious tarball with entries that exploit this behavior to write files to directories that share a common character prefix with the intended destination.
Root Cause
The root cause is the use of os.path.commonprefix() instead of os.path.commonpath() for directory containment validation. While both functions find common prefixes, commonprefix() operates on raw strings character-by-character, whereas commonpath() properly handles path semantics and validates based on actual directory components. This distinction is critical for security-sensitive path validation operations.
Attack Vector
The attack vector is network-based, requiring an attacker to supply a malicious tarball to a system using vulnerable versions of dbt-common. The attacker crafts a tarball containing files with carefully constructed paths that exploit the commonprefix() validation flaw. When the tarball is extracted, files are written to sibling directories with matching name prefixes, bypassing the intended directory containment check.
def safe_extract(tarball: tarfile.TarFile, path: str = ".") -> None:
"""
Fix for CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Uses os.path.commonpath() instead of commonprefix() to prevent path traversal
via sibling directories with matching prefixes (CVE-2026-1703).
"""
def _is_within_directory(directory, target):
abs_directory = os.path.abspath(directory)
abs_target = os.path.abspath(target)
try:
prefix = os.path.commonpath([abs_directory, abs_target])
return prefix == abs_directory
except ValueError:
# Captures the case of different drives on Windows so it fails safely
return False
# for py >= 3.12
if hasattr(tarfile, "data_filter"):
Source: GitHub Commit Update
Detection Methods for CVE-2026-29790
Indicators of Compromise
- Unexpected files appearing in directories adjacent to legitimate dbt extraction locations
- Files with unusual names in sibling directories that share common name prefixes with expected extraction paths
- Modification timestamps on configuration files or code in directories near dbt working directories that don't align with normal operations
Detection Strategies
- Monitor file system activity during tarball extraction operations for writes outside expected directories
- Implement file integrity monitoring on critical directories adjacent to dbt working directories
- Review application logs for tarball extraction events and correlate with unexpected file creation events
Monitoring Recommendations
- Enable audit logging for file creation events in directories containing dbt installations
- Configure alerts for any file writes to sensitive directories during package installation or update operations
- Deploy SentinelOne endpoint protection to detect and block path traversal exploitation attempts in real-time
How to Mitigate CVE-2026-29790
Immediate Actions Required
- Upgrade dbt-common to version 1.34.2 or 1.37.3 or later immediately
- Review file systems for any unexpected files in directories adjacent to dbt extraction paths
- Audit tarball sources to ensure they originate from trusted repositories
- Temporarily disable automatic tarball extraction if patching cannot be immediately performed
Patch Information
The vulnerability has been patched in dbt-common versions 1.34.2 and 1.37.3. The fix replaces os.path.commonprefix() with os.path.commonpath() for proper path component-based validation. The patch also adds error handling for Windows edge cases involving different drive letters. For detailed patch information, see the GitHub Commit Update and GitHub Security Advisory.
Workarounds
- Validate all tarball archives manually before extraction using tools that properly check for path traversal entries
- Restrict tarball extraction to isolated directories or sandboxed environments
- Implement application-level monitoring to detect and block extraction attempts that target parent or sibling directories
# Upgrade dbt-common to patched version
pip install --upgrade dbt-common>=1.37.3
# Verify installed version
pip show dbt-common | grep Version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
