Browse all 4 CVE security advisories affecting dbt-labs. AI-powered Chinese analysis, POCs, and references for each vulnerability.
dbt-labs develops dbt, a data transformation tool that enables analysts to convert raw data into analytics through SQL-based models. Historically, their vulnerabilities have included remote code execution, cross-site scripting, and privilege escalation risks, often stemming from improper input validation and access control flaws. While no major public security incidents have been widely reported, the organization maintains four CVE records, highlighting ongoing security considerations. Their open-source nature requires regular security audits, particularly for web interfaces and authentication mechanisms, to mitigate risks associated with third-party dependencies and user-supplied data processing.
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2026-39382 | dbt has a Command Injection in Reusable Workflow via Unsanitized comment-body Output — dbt-coreCWE-78 | 8.8AI | HighAI | 2026-04-07 |
| CVE-2026-29790 | dbt-common: commonprefix() doesn't protect against path traversal — dbt-commonCWE-22 | 7.5 | - | 2026-03-06 |
| CVE-2024-40637 | Implicit override for built-in materializations from installed packages in dbt-core — dbt-coreCWE-74 | 4.2 | Medium | 2024-07-16 |
| CVE-2024-36105 | dbt allows Binding to an Unrestricted IP Address via socketsocket — dbt-coreCWE-1327 | 5.3 | Medium | 2024-05-27 |
This page lists every published CVE security advisory associated with dbt-labs. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.