Description
dbt enables data analysts and engineers to transform their data using the same practices that software engineers use to build applications. Inside the reusable workflow dbt-labs/actions/blob/main/.github/workflows/open-issue-in-repo.yml, the prep job uses peter-evans/find-comment to search for an existing comment indicating that a docs issue has already been opened. The output steps.issue_comment.outputs.comment-body is then interpolated directly into a bash if statement. Because comment-body is attacker-controlled text and is inserted into shell syntax without escaping, a malicious comment body can break out of the quoted string and inject arbitrary shell commands. This vulnerability is fixed with commit bbed8d28354e9c644c5a7df13946a3a0451f9ab9.
Published: 2026-04-07
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Command Execution via Workflow Injection
Action: Immediate Patch
AI Analysis

Impact

The vulnerability resides in a reusable workflow file used by dbt-labs. A bash if statement incorporates the output of peter-evans/find-comment without sanitization, allowing an attacker who can supply a comment body to break out of a quoted string and inject arbitrary shell commands. The result is that malicious commands can be executed within the workflow environment, potentially compromising the CI pipeline and any secrets it has access to.

Affected Systems

The affected product is dbt-labs:dbt-core. No specific version information is listed, so any deployment that includes the open-issue-in-repo.yml workflow and uses the vulnerable comment handling may be impacted.

Risk and Exploitability

The CVSS score of 9.3 indicates a high severity, and while EPSS data is not available, the vulnerability is not currently cataloged as a known exploited vulnerability. The likely attack vector is a malicious comment posted to a repository that uses the vulnerable workflow. If an adversary can control the comment body, they can inject shell commands into the workflow’s prepare job, enabling arbitrary code execution in the CI environment.

Generated by OpenCVE AI on April 7, 2026 at 22:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Replace the open-issue-in-repo.yml workflow file with the fixed version referenced in commit bbed8d28354e9c644c5a7df13946a3a0451f9ab9 or later.

Generated by OpenCVE AI on April 7, 2026 at 22:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Dbt-labs
Dbt-labs dbt-core
Vendors & Products Dbt-labs
Dbt-labs dbt-core

Wed, 08 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description dbt enables data analysts and engineers to transform their data using the same practices that software engineers use to build applications. Inside the reusable workflow dbt-labs/actions/blob/main/.github/workflows/open-issue-in-repo.yml, the prep job uses peter-evans/find-comment to search for an existing comment indicating that a docs issue has already been opened. The output steps.issue_comment.outputs.comment-body is then interpolated directly into a bash if statement. Because comment-body is attacker-controlled text and is inserted into shell syntax without escaping, a malicious comment body can break out of the quoted string and inject arbitrary shell commands. This vulnerability is fixed with commit bbed8d28354e9c644c5a7df13946a3a0451f9ab9.
Title dbt has a Command Injection in Reusable Workflow via Unsanitized comment-body Output
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Dbt-labs Dbt-core
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-08T16:14:59.745Z

Reserved: 2026-04-06T22:06:40.515Z

Link: CVE-2026-39382

cve-icon Vulnrichment

Updated: 2026-04-08T16:12:33.218Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-07T20:16:32.980

Modified: 2026-04-08T21:27:00.663

Link: CVE-2026-39382

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:23:04Z

Weaknesses