Critical severityNVD Advisory· Published Apr 7, 2026· Updated Apr 16, 2026
CVE-2026-39382
CVE-2026-39382
Description
dbt enables data analysts and engineers to transform their data using the same practices that software engineers use to build applications. Inside the reusable workflow dbt-labs/actions/blob/main/.github/workflows/open-issue-in-repo.yml, the prep job uses peter-evans/find-comment to search for an existing comment indicating that a docs issue has already been opened. The output steps.issue_comment.outputs.comment-body is then interpolated directly into a bash if statement. Because comment-body is attacker-controlled text and is inserted into shell syntax without escaping, a malicious comment body can break out of the quoted string and inject arbitrary shell commands. This vulnerability is fixed with commit bbed8d28354e9c644c5a7df13946a3a0451f9ab9.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
50- AI Doctors? Lawsuits Say No, Some Doctors Say YesGovInfoSecurity · May 18, 2026
- Colorado governor commutes prison sentence for election denier Tina PetersCyberScoop · May 15, 2026
- More than $10 million stolen from crypto platform THORChainThe Record · May 15, 2026
- Turla Turns Kazuar Backdoor Into Modular P2P Botnet for Persistent AccessThe Hacker News · May 15, 2026
- Living Off the Pipeline: Defending Against CI/CD SubversionSentinelOne Labs · May 15, 2026
- Microsoft to automatically roll back faulty Windows driversBleepingComputer · May 15, 2026
- Cyber Pioneers Ponder Past as PrologueDark Reading · May 15, 2026
- Thinking carefully before adopting agentic AINCSC UK · May 15, 2026
- TanStack Supply Chain Attack Hits Two OpenAI Employee Devices, Forces macOS UpdatesThe Hacker News · May 15, 2026
- OpenAI caught in TanStack npm supply chain chaos after employee devices compromisedThe Register Security · May 15, 2026
- TeamPCP Ups the Game, Releases Shai-Hulud Worm’s Source CodeSecurityWeek · May 15, 2026
- On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted EmailThe Hacker News · May 15, 2026
- CISA Adds Cisco SD-WAN CVE-2026-20182 to KEV After Admin Access ExploitsThe Hacker News · May 15, 2026
- Frequently asked questions about the continued exploitation of Cisco Catalyst SD-WAN vulnerabilities (CVE-2026-20182)Tenable Blog · May 15, 2026
- OpenAI asks macOS users to update after TanStack npm supply chain attackThe Record · May 14, 2026
- Maximum Severity Cisco SD-WAN Bug Exploited in the WildDark Reading · May 14, 2026
- White House cyber official: identity security matters more than ever in the age of AICyberScoop · May 14, 2026
- OpenAI confirms security breach in TanStack supply chain attackBleepingComputer · May 14, 2026
- Stealer Backdoor Found in 3 Node-IPC Versions Targeting Developer SecretsThe Hacker News · May 14, 2026
- Ongoing exploitation of Cisco Catalyst SD-WAN vulnerabilitiesCisco Talos Intelligence · May 14, 2026
- Ghostwriter Targets Ukrainian Government With Geofenced PDF Phishing, Cobalt StrikeThe Hacker News · May 14, 2026
- Mythos Proves Potent in Vulnerability Discovery, Less Convincing ElsewhereSecurityWeek · May 14, 2026
- How AI Hallucinations Are Creating Real Security RisksThe Hacker News · May 14, 2026
- Cops arrest man suspected of being Dream Market kingpinThe Register Security · May 14, 2026
- Microsoft turns Copilot Studio into an AI agent control centerHelp Net Security · May 14, 2026
- Machine identities outnumber humans 109 to 1Help Net Security · May 14, 2026
- Alleged Dream Market admin arrested in Germany after US indictmentThe Record · May 13, 2026
- The Convergence of Cloud Secrets & AI RiskSentinelOne Labs · May 13, 2026
- 200,000 WordPress Sites at Risk from Critical Authentication Bypass Vulnerability in Burst Statistics PluginWordfence Blog · May 13, 2026
- Microsoft's MDASH AI System Finds 16 Windows Flaws Fixed in Patch TuesdayThe Hacker News · May 13, 2026
- Browser Run: now running on Cloudflare Containers, it’s faster and more scalableCloudflare Blog · May 13, 2026
- LatAm Vibe Hackers Generate Custom Hacking Tools on the FlyDark Reading · May 13, 2026
- Most Remediation Programs Never Confirm the Fix Actually WorkedThe Hacker News · May 13, 2026
- Microsoft Patches 138 Vulnerabilities, Including DNS and Netlogon RCE FlawsThe Hacker News · May 13, 2026
- UK Cybersecurity Market Expands to £14.7bn with Strong Growth in AI Security FirmsInfosecurity Magazine · May 13, 2026
- Versa CSPM brings continuous visibility to cloud risk and compliance exposureHelp Net Security · May 13, 2026
- Risky Business #837 -- GitHub Actions footgun claims TanStackRisky Business · May 13, 2026
- Windows 11 KB5089549 & KB5087420 cumulative updates releasedBleepingComputer · May 12, 2026
- Exaforce Raises $125 Million for Agentic SOC PlatformSecurityWeek · May 12, 2026
- White Circle Raises $11 Million for AI Control PlatformSecurityWeek · May 12, 2026
- Veeam Intelligent ResOps unifies data context and recoveryHelp Net Security · May 12, 2026
- RubyGems Suspends New Signups After Hundreds of Malicious Packages Are UploadedThe Hacker News · May 12, 2026
- Mini Shai-Hulud Hits TanStack npm PackagesInfosecurity Magazine · May 12, 2026
- Cache-poisoning caper turns TanStack npm packages toxicThe Register Security · May 12, 2026
- 20 Leaders Who Built the CISO Era: 2 Decades of ChangeDark Reading · May 12, 2026
- Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI & More PackagesThe Hacker News · May 12, 2026
- Shai Hulud attack ships signed malicious TanStack, Mistral npm packagesBleepingComputer · May 12, 2026
- Worm Redux: Fresh Mini Shai-Hulud Infections Bite Supply ChainDark Reading · May 12, 2026
- Is the SOC Obsolete, and We Just Haven’t Admitted It Yet?SecurityWeek · May 12, 2026
- Why Agentic AI Is Security's Next Blind SpotThe Hacker News · May 12, 2026