dbt workflow command injection enables CI runner code execution
TL;DR — A reusable dbt GitHub Actions workflow can be tricked into running attacker-controlled shell commands by interpolating untrusted issue-comment text into a bash if statement.
What happened
dbt is a popular data transformation toolchain, and dbt-labs/actions provides reusable GitHub Actions workflows used to automate repo tasks. CVE-2026-39382 describes a Critical command injection issue in the reusable workflow dbt-labs/actions/blob/main/.github/workflows/open-issue-in-repo.yml.
Per the CVE record and linked advisory, the workflow’s prep job uses peter-evans/find-comment to locate an existing comment, then interpolates steps.issue_comment.outputs.comment-body directly into a bash if expression. Because the comment body can be attacker-controlled and is inserted into shell syntax without escaping, a crafted comment can break out of quoting and inject arbitrary commands.
The advisory notes this can lead to CI secret exfiltration and broader automation compromise (e.g., if a privileged bot token is present in the workflow environment), not just a single job failure.
| Item | Source value |
|---|---|
| Affected component | dbt-labs/actions/.github/workflows/open-issue-in-repo.yml (reusable workflow) |
| Severity | CVSS v4.0 9.3 (Critical) |
| CVSS v4.0 vector | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| Fix status | "This vulnerability is fixed with commit bbed8d28354e9c644c5a7df13946a3a0451f9ab9." |
This is the same failure mode that keeps showing up in CI/CD incidents: treating untrusted content (issue/PR text, comment bodies, or tool outputs derived from them) as trusted shell syntax in privileged automation.
Who is impacted
- Repositories that consume the reusable workflow
dbt-labs/actions/.github/workflows/open-issue-in-repo.ymlfrom commits beforebbed8d28354e9c644c5a7df13946a3a0451f9ab9. - Workflows where the comment-search behavior can be influenced by an attacker (for example, if the search is not sufficiently constrained to a trusted author and can be satisfied by an attacker’s “spoofed” comment).
- Any CI environment where the job has access to sensitive secrets/tokens (the advisory highlights the risk of secrets exfiltration and privileged bot credentials).
What to do now
- Follow vendor remediation guidance.
"This vulnerability is fixed with commit bbed8d28354e9c644c5a7df13946a3a0451f9ab9."
- Inventory where your org references
dbt-labs/actionsreusable workflows and identify any usage ofopen-issue-in-repo.ymlpinned to an older ref (branch/tag/SHA). - Treat this as CI compromise-prone until you’ve validated your exposure:
- review recent workflow runs that executed this reusable workflow
- rotate secrets exposed to the workflow if suspicious activity is found
- Apply the mitigation guidance from the advisory to your own workflows (this issue class is broader than dbt):
"Do not interpolate untrusted workflow values directly into shell code" "Pass untrusted values through environment variables and compare them safely in bash"
- If you use comment-search automation patterns (e.g.,
find-comment), ensure the workflow constrains the match to trusted authors/markers so attacker-authored comments can’t be selected as “trusted state.”
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.