CVE-2026-39382 Overview
A critical command injection vulnerability has been identified in the dbt-labs GitHub Actions reusable workflow. dbt (data build tool) enables data analysts and engineers to transform their data using the same practices that software engineers use to build applications. The vulnerable workflow dbt-labs/actions/blob/main/.github/workflows/open-issue-in-repo.yml improperly handles user-controlled input, allowing attackers to inject and execute arbitrary shell commands within the CI/CD pipeline context.
Critical Impact
Unauthenticated attackers can achieve arbitrary command execution within GitHub Actions runners by crafting malicious comment bodies, potentially compromising the entire CI/CD pipeline, secrets, and repository integrity.
Affected Products
- dbt-labs/actions GitHub Actions workflows (prior to commit bbed8d28354e9c644c5a7df13946a3a0451f9ab9)
- Repositories using the vulnerable open-issue-in-repo.yml reusable workflow
- dbt-core repositories implementing affected workflows
Discovery Timeline
- 2026-04-07 - CVE CVE-2026-39382 published to NVD
- 2026-04-08 - Last updated in NVD database
Technical Details for CVE-2026-39382
Vulnerability Analysis
This vulnerability represents a classic CWE-78 (OS Command Injection) flaw within a GitHub Actions CI/CD context. The root issue lies in the unsafe interpolation of user-controlled data into shell command syntax without proper sanitization or escaping.
Within the open-issue-in-repo.yml reusable workflow, the prep job utilizes the peter-evans/find-comment action to search for existing comments that indicate whether a documentation issue has already been opened. The action outputs the comment body through steps.issue_comment.outputs.comment-body, which is subsequently interpolated directly into a bash conditional statement.
Because GitHub Issues and Pull Request comments can be authored by any user (including unauthenticated or low-privileged actors in public repositories), the comment-body value is entirely attacker-controlled. When this untrusted input is inserted into shell syntax without escaping, a malicious actor can craft a comment body that breaks out of the quoted string context and injects arbitrary shell commands.
The exploitation surface is particularly dangerous because GitHub Actions runners execute with elevated privileges and often have access to repository secrets, deployment credentials, and write access to the repository itself.
Root Cause
The vulnerability stems from directly interpolating the output of steps.issue_comment.outputs.comment-body into a bash if statement without proper escaping or sanitization. In GitHub Actions, expression interpolation using ${{ }} syntax does not automatically escape content for shell contexts, making it susceptible to injection attacks when user-controlled data is involved.
Attack Vector
An attacker can exploit this vulnerability by creating or editing a comment on a repository issue or pull request that triggers the vulnerable workflow. The malicious comment body would contain shell metacharacters designed to escape the string context and append arbitrary commands.
For example, a comment body containing shell escape sequences followed by command separators (such as backticks, semicolons, or command substitution syntax) would allow the attacker to execute arbitrary code within the GitHub Actions runner environment. This could be leveraged to:
- Exfiltrate repository secrets and environment variables
- Modify repository contents or create malicious commits
- Pivot to connected services using stored credentials
- Establish persistence through workflow modifications
For technical details on the vulnerability and fix, see the GitHub Security Advisory GHSA-5jxf-vmqr-5g82.
Detection Methods for CVE-2026-39382
Indicators of Compromise
- Unexpected GitHub Actions workflow runs triggered by comment events
- Unusual commands or processes spawned within GitHub Actions runner logs
- Comments on issues or pull requests containing shell metacharacters (backticks, $(), semicolons, pipes)
- Unauthorized modifications to repository contents or secrets
- Suspicious network connections originating from GitHub Actions runners
Detection Strategies
- Review GitHub Actions workflow run logs for anomalous command execution patterns
- Implement audit logging for all comment creation and modification events
- Monitor for comments containing potential shell injection payloads using pattern matching
- Track workflow trigger sources and correlate with user privilege levels
Monitoring Recommendations
- Enable GitHub Advanced Security features to detect vulnerable workflow patterns
- Configure alerts for workflow runs triggered by external contributors
- Implement code scanning rules to identify unsafe expression interpolation in workflows
- Review Actions permissions and secret access for reusable workflows
How to Mitigate CVE-2026-39382
Immediate Actions Required
- Update to the patched version by pulling commit bbed8d28354e9c644c5a7df13946a3a0451f9ab9 or later
- Audit all repositories using the open-issue-in-repo.yml reusable workflow
- Review GitHub Actions workflow run history for signs of exploitation
- Rotate any secrets that may have been accessible to the vulnerable workflow
- Restrict workflow permissions to minimum required access
Patch Information
The vulnerability has been fixed in commit bbed8d28354e9c644c5a7df13946a3a0451f9ab9. Organizations should update their references to the dbt-labs/actions repository to include this fix.
For complete patch details, see the GitHub Commit bbed8d2.
Workarounds
- Avoid using the vulnerable workflow until the patch is applied
- Implement environment variables instead of direct expression interpolation for user-controlled inputs
- Use intermediate steps that properly escape shell metacharacters before interpolation
- Restrict who can trigger workflows by configuring branch protection rules and required reviews
# Example: Safe handling of user input in GitHub Actions
# Instead of direct interpolation, use environment variables:
env:
COMMENT_BODY: ${{ steps.issue_comment.outputs.comment-body }}
run: |
# Use printf with %q for proper shell escaping
SAFE_BODY=$(printf '%q' "$COMMENT_BODY")
if [[ "$SAFE_BODY" == *"expected_pattern"* ]]; then
echo "Pattern found"
fi
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
