RCE in Dbt-labs Dbt-core

CVE-2026-39382

dbt enables data analysts and engineers to transform their data using the same practices that software engineers use to build applications. Inside the reusable workflow dbt-labs/actions/blob/main/.github/workflows/open-issue-in-repo.yml, t…

Vulnerability class: Command Injection (OS Command Injection)

EPSS: 0.000 (6.3th percentile) — read the EPSS interpretation.

Affected products

Dbt-labs Dbt-core — versions < bbed8d28354e9c644c5a7df13946a3a0451f9ab9

Weakness classification (CWE)

CWE-78 — OS Command Injection

References

https://github.com/dbt-labs/dbt-core/security/advisories/GHSA-5jxf-vmqr-5g82 (x_refsource_CONFIRM)
https://github.com/dbt-labs/actions/commit/bbed8d28354e9c644c5a7df13946a3a0451f9ab9 (x_refsource_MISC)