Skip to main content

Dbt Core CVE-2026-39382

| EUVDEUVD-2026-19918 CRITICAL
OS Command Injection (CWE-78)
2026-04-07 GitHub_M
9.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Re-analysis Queued
Apr 16, 2026 - 15:22 vuln.today
cvss_changed
EUVD ID Assigned
Apr 07, 2026 - 20:16 euvd
EUVD-2026-19918
Analysis Generated
Apr 07, 2026 - 20:16 vuln.today
CVE Published
Apr 07, 2026 - 19:56 nvd
CRITICAL 9.3

DescriptionGitHub Advisory

dbt enables data analysts and engineers to transform their data using the same practices that software engineers use to build applications. Inside the reusable workflow dbt-labs/actions/blob/main/.github/workflows/open-issue-in-repo.yml, the prep job uses peter-evans/find-comment to search for an existing comment indicating that a docs issue has already been opened. The output steps.issue_comment.outputs.comment-body is then interpolated directly into a bash if statement. Because comment-body is attacker-controlled text and is inserted into shell syntax without escaping, a malicious comment body can break out of the quoted string and inject arbitrary shell commands. This vulnerability is fixed with commit bbed8d28354e9c644c5a7df13946a3a0451f9ab9.

AnalysisAI

Command injection in dbt-labs/actions workflow allows remote code execution via malicious GitHub issue comments. Unauthenticated attackers can inject arbitrary shell commands through unescaped comment-body output in the open-issue-in-repo.yml reusable workflow, affecting dbt-core infrastructure. The vulnerability exists in GitHub Actions workflows where attacker-controlled comment text is interpolated directly into bash if statements without sanitization. Fixed in commit bbed8d28, no public exploit identified at time of analysis, but EPSS scoring and CVSS 9.3 indicate critical severity with network attack vector requiring no privileges.

Technical ContextAI

This vulnerability affects the dbt-labs/actions reusable GitHub Actions workflow (open-issue-in-repo.yml). The workflow uses peter-evans/find-comment to retrieve existing issue comments, then passes the comment-body output directly into a bash conditional statement without proper escaping or sanitization. CWE-78 (OS Command Injection) occurs because the workflow treats untrusted user input (GitHub issue comment text) as executable code. When the comment body contains shell metacharacters or command substitution syntax (e.g., backticks, $(), semicolons), these are interpreted by the shell rather than treated as literal strings. The affected product is dbt-core (cpe:2.3:a:dbt-labs:dbt-core), a data transformation framework that relies on GitHub Actions for CI/CD automation. The vulnerability resides in the workflow infrastructure rather than the core application code, but can compromise the build pipeline and associated secrets.

RemediationAI

Upstream fix available (PR/commit); released patched version not independently confirmed. Organizations must update their dbt-labs/actions workflow references to commit bbed8d28354e9c644c5a7df13946a3a0451f9ab9 or later, which implements proper escaping of comment-body output before shell interpolation. Review all GitHub Actions workflows that use dbt-labs/actions/open-issue-in-repo.yml and update the workflow reference to point to the fixed commit hash or a tag containing the fix. As an immediate workaround, organizations can temporarily disable the vulnerable workflow or implement input validation to sanitize comment text before processing. Audit repository secrets and rotate any credentials that may have been exposed if suspicious workflow executions are detected in Actions logs. Review GitHub Actions audit logs for unusual command execution patterns or unauthorized workflow runs. Full remediation guidance and patch details are available in the vendor advisory at https://github.com/dbt-labs/dbt-core/security/advisories/GHSA-5jxf-vmqr-5g82 and the fix commit at https://github.com/dbt-labs/actions/commit/bbed8d28354e9c644c5a7df13946a3a0451f9ab9.

Share

CVE-2026-39382 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy