CVE-2026-29790 is a path traversal vulnerability classified under CWE-22 affecting dbt-labs' dbt-common, a shared utility library used by dbt-core and adapter implementations. The vulnerability resides in the safe_extract() function responsible for extracting tarball archives. This function attempts to prevent extraction outside a target directory by validating paths using Python's os.path.commonprefix(), which compares strings character-by-character rather than by directory components. This flawed validation allows an attacker to craft malicious tarballs containing files with pathnames that share a common prefix but actually reside outside the intended extraction directory. As a result, files can be written to sibling or arbitrary directories, potentially overwriting critical files or planting malicious payloads. Exploitation requires the attacker to supply a malicious tarball and for a user with at least limited privileges to trigger the extraction process, involving user interaction. The vulnerability does not grant elevated privileges or remote code execution but can lead to integrity violations or denial of service through file overwrites. The issue affects dbt-common versions prior to 1.34.2 and 1.37.3 and was patched by correcting the path validation logic. No known active exploits have been reported. The CVSS 4.0 base score is 2.0, reflecting low severity due to limited impact and exploitation complexity.

The primary impact of this vulnerability is the potential for attackers to write files outside the intended extraction directory, which can lead to unauthorized file modification or creation. This can compromise the integrity of the system or application by overwriting configuration files, injecting malicious scripts, or disrupting normal operations. Although the vulnerability does not directly enable privilege escalation or remote code execution, the ability to place arbitrary files can be leveraged in multi-stage attacks or combined with other vulnerabilities. Organizations relying on dbt-common for data build tool operations may face risks of data corruption, service disruption, or unauthorized configuration changes. The low CVSS score and requirement for user interaction limit the scope of impact, but environments with automated or frequent tarball extraction processes could be more vulnerable. Overall, the threat is moderate for organizations using vulnerable versions but can be mitigated effectively by patching.

To mitigate this vulnerability, organizations should immediately upgrade dbt-common to versions 1.34.2 or 1.37.3 or later where the issue is patched. Review and audit any processes that involve automatic extraction of tarball archives, especially those that accept input from untrusted or external sources. Implement additional path validation by verifying extracted file paths using robust methods such as os.path.realpath() or pathlib.Path.resolve() to ensure files remain within the intended directory. Employ least privilege principles by limiting the permissions of users or services performing extraction to minimize potential damage from file writes outside expected locations. Monitor file system changes in directories related to dbt operations to detect unexpected modifications. Finally, educate users about the risks of extracting untrusted archives and enforce strict controls on input sources.