The vulnerability identified as CVE-2026-29790 affects dbt-labs' dbt-common, a shared utility library used by dbt-core and its adapters. The issue arises in the safe_extract() function responsible for extracting tarball archives safely by ensuring extracted files remain within a designated directory. The function uses Python's os.path.commonprefix() to validate paths, but this method compares strings character-by-character rather than by directory components. This flawed validation allows a maliciously crafted tarball to include file paths that appear to be within the extraction directory by prefix but actually traverse outside it, enabling path traversal attacks. For example, a file path like 'target_dir/../evil_file' could bypass the check if the common prefix matches, allowing files to be written outside the intended directory. This can lead to overwriting or creating files in arbitrary locations accessible by the user running the extraction, potentially compromising data integrity or enabling further attacks such as local privilege escalation. The vulnerability affects dbt-common versions prior to 1.34.2 and 1.37.3, where the patch replaces the unsafe commonprefix() check with a more robust path validation method that correctly handles directory components. Exploitation requires an attacker to supply a malicious tarball and for a user to extract it using the vulnerable function, implying user interaction and limited privileges. No public exploits have been reported to date. The CVSS 4.0 base score is 2.0, indicating low severity due to the limited scope and complexity of exploitation. Nonetheless, the vulnerability highlights the risks of improper path validation in archive extraction routines and the importance of using secure path normalization techniques.

The primary impact of this vulnerability is the potential for an attacker to write or overwrite files outside the intended extraction directory, which can compromise data integrity and potentially affect system stability or security. While the attacker requires user interaction and limited privileges, successful exploitation could lead to local file manipulation, which might be leveraged for further attacks such as privilege escalation or persistence mechanisms if sensitive files are overwritten. Organizations relying on dbt-common for data transformation workflows could face disruption or data corruption if malicious tarballs are introduced, especially in environments where users extract archives from untrusted sources. However, the low CVSS score and absence of known exploits suggest the immediate risk is limited. Still, in high-security or regulated environments, even low-severity path traversal vulnerabilities warrant prompt remediation to prevent potential lateral movement or supply chain compromise. The impact is more pronounced in organizations with automated or semi-automated workflows that process external tarball inputs without strict validation.

To mitigate this vulnerability, organizations should upgrade dbt-common to versions 1.34.2 or 1.37.3 or later, where the safe_extract() function has been corrected to properly validate extraction paths. Until upgrades are applied, users should avoid extracting tarball archives from untrusted or unauthenticated sources using vulnerable versions. Implement additional validation layers by manually inspecting archive contents before extraction or using alternative extraction tools that enforce strict path normalization and sandboxing. Employ runtime monitoring to detect unexpected file writes outside designated directories during extraction processes. Incorporate security training to raise awareness about the risks of extracting archives from unknown origins. For environments with automated pipelines, enforce strict input validation and sandbox extraction operations to contain potential path traversal attempts. Regularly audit and review third-party dependencies for updates and security patches to reduce exposure to similar vulnerabilities.