Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Lifecycle Timeline
3Blast Radius
ecosystem impact- 66 pypi packages depend on dagster (64 direct, 2 indirect)
- 3 pypi packages depend on dagster-duckdb (3 direct, 0 indirect)
- 2 pypi packages depend on dagster-gcp (2 direct, 0 indirect)
Ecosystem-wide dependent count for version 1.13.1 and other introduced versions.
DescriptionGitHub Advisory
Dagster is an orchestration platform for the development, production, and observation of data assets. Prior to Dagster Core version 1.13.1 and prior to Dagster libraries version 0.29.1, the DuckDB, Snowflake, BigQuery, and DeltaLake I/O managers constructed SQL WHERE clauses by interpolating dynamic partition key values into queries without escaping. A user with the Add Dynamic Partitions permission could create a partition key that injects arbitrary SQL, which would execute against the target database backend under the I/O manager's credentials. Only deployments that use dynamic partitions are affected. Pipelines using static or time-window partitions are not impacted. This issue has been patched in Dagster Core version 1.13.1 and Dagster libraries version 0.29.1.
AnalysisAI
SQL injection in Dagster orchestration platform allows authenticated users with 'Add Dynamic Partitions' permission to execute arbitrary SQL against DuckDB, Snowflake, BigQuery, and DeltaLake databases via crafted partition keys. Affected I/O managers interpolate dynamic partition values into WHERE clauses without sanitization, enabling attackers to read or modify data under the I/O manager's database credentials. Only deployments using dynamic partitions are vulnerable - static and time-window partitions are unaffected. Vendor-released patches are available (Dagster Core 1.13.1, libraries 0.29.1). No public exploit code identified at time of analysis, though exploitation is straightforward for authenticated users with the specific permission.
Technical ContextAI
Dagster is a Python-based data orchestration platform that manages data pipelines and asset dependencies. The vulnerability resides in four I/O manager integrations (DuckDB, Snowflake, BigQuery, DeltaLake) that construct SQL WHERE clauses for partition filtering. These managers use string interpolation rather than parameterized queries when incorporating dynamic partition key values, violating CWE-89 (SQL Injection) best practices. The affected CPE is cpe:2.3:a:dagster-io:dagster for the core platform. Dynamic partitions in Dagster allow runtime definition of data slices, and partition keys are user-controlled strings. When an I/O manager builds queries like 'SELECT * FROM table WHERE partition_key = ' + user_input without escaping, it creates classic SQL injection vectors. The vulnerability spans multiple Python packages: dagster-duckdb, dagster-snowflake, dagster-gcp (BigQuery), and core dagster package (DeltaLake). Static partitions (predefined ranges) and time-window partitions (date-based) use different code paths that properly escape values, making them immune.
RemediationAI
Update to patched versions: Dagster Core 1.13.1 and all Dagster library packages to 0.29.1 (dagster-duckdb, dagster-snowflake, dagster-gcp 0.29.1). Release available at https://github.com/dagster-io/dagster/releases/tag/1.13.1. The fix implements proper SQL escaping of partition key values before query construction across all affected I/O managers. No configuration changes required alongside the update - only Python package versions need upgrading. Dagster+ agents, OSS daemons, and webservers do not require separate updates. For organizations unable to apply patches immediately, the vendor provides manual workarounds at https://gist.github.com/gibsondan/6d0c483f8499a8b1cd460cddc9fd8f72 (workarounds not detailed in provided data, but likely involve input validation or restricting dynamic partition creation). Compensating control: audit and restrict 'Add Dynamic Partitions' permission to only users who already have equivalent database access through other means, reducing attack surface. In Dagster+, review custom RBAC configurations to ensure this permission aligns with actual database access needs. Consider temporarily disabling dynamic partitions on affected I/O managers if operationally feasible, forcing use of static or time-window partitions which are not vulnerable. Trade-off: restricting permissions or disabling dynamic partitions reduces pipeline flexibility for legitimate use cases like event-driven data processing.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28368
GHSA-mjw2-v2hm-wj34