CVE-2026-41490

CVE-2026-41490 affects Dagster’s dynamic partition keys in I/O managers (DuckDB, Snowflake, BigQuery, DeltaLake). Prior to Dagster Core 1.13.1 and Dagster libraries 0.29.1, SQL WHERE clauses were built by interpolating partition key values without escaping, allowing a user with Add Dynamic Partit...

CVE-2026-41490 Dagster Vulnerable to SQL Injection via Dynamic Partition Keys in Database I/O Manager Integrations

Dagster is an orchestration platform for the development, production, and observation of data assets. Prior to Dagster Core version 1.13.1 and prior to Dagster libraries version 0.29.1, the DuckDB, Snowflake, BigQuery, and DeltaLake I/O managers constructed SQL WHERE clauses by interpolating...

EUVD-2025-22342

Malicious code in bioql PyPI...

Local File Inclusion (LFI)

Dagster is vulnerable to Local File Inclusion LFI. The vulnerability is due to improper validation of the notebookpath field in ExternalNotebookData requests, which allows an attacker to perform path traversal and read arbitrary files by bypassing the intended extension-based check...

CVE-2025-51481

Local File Inclusion in dagster.grpc.impl.getnotebookdata in Dagster 1.10.14 allows attackers with access to the gRPC server to read arbitrary files by supplying path traversal sequences in the notebookpath field of ExternalNotebookData requests, bypassing the intended extension-based check...

Dagster Local File Inclusion vulnerability

Local File Inclusion in dagster.grpc.impl.getnotebookdata in Dagster 1.10.14 allows attackers with access to the gRPC server to read arbitrary files by supplying path traversal sequences in the notebookpath field of ExternalNotebookData requests, bypassing the intended extension-based check...

PYSEC-2025-102

Local File Inclusion in dagster.grpc.impl.getnotebookdata in Dagster 1.10.14 allows attackers with access to the gRPC server to read arbitrary files by supplying path traversal sequences in the notebookpath field of ExternalNotebookData requests, bypassing the intended extension-based check...

PYSEC-2025-102

Local File Inclusion in dagster.grpc.impl.getnotebookdata in Dagster 1.10.14 allows attackers with access to the gRPC server to read arbitrary files by supplying path traversal sequences in the notebookpath field of ExternalNotebookData requests, bypassing the intended extension-based check...

CVE-2025-51481

Local File Inclusion in dagster.grpc.impl.getnotebookdata in Dagster 1.10.14 allows attackers with access to the gRPC server to read arbitrary files by supplying path traversal sequences in the notebookpath field of ExternalNotebookData requests, bypassing the intended extension-based check...

PT-2025-30442 · Dagster · Dagster

Name of the Vulnerable Software and Affected Versions: Dagster version 1.10.14 Description: A local file inclusion issue exists in the dagster. grpc.impl.get notebook data function. Attackers with access to the gRPC server can read arbitrary files by providing path traversal sequences in the...

Directory Traversal

Dagster is vulnerable to Directory Traversal. The vulnerability is due to improper input sanitization due to the /logs endpoint allowing crafted requests that can access sensitive files, particularly those with names starting with a dot...

CVE-2023-51232

Directory Traversal vulnerability in dagster-webserver Dagster thru 1.5.11 allows remote attackers to obtain sensitive information via crafted request to the /logs endpoint. This may be restricted to certain file names that start with a dot '.'...

acryl-datahub-dagster-plugin (>=0.0.0.dev0 <=1.6.0rc1), agentflow-runtime (>=1.1.0 <=1.4.0) +231 more potentially affected by CVE-2023-51232 via dagster (>=1.0.0 <=1.5.10)

dagster PYPI version =1.0.0, =0.0.0.dev0, =1.1.0, =0.1.0.dev419, =2.7.1, =2023.12.1, =0.0.1, =0.1.0, =0.0.1, =0.16.0, =0.4.0, =0.0.1, =0.0.1, =0.0.1, =0.0.3 and more Source cves: CVE-2023-51232 Source advisory: SNYK:PYTHON-DAGSTER-10664501...

acryl-datahub-dagster-plugin (>=0.0.0.dev0 <=1.6.0rc1), agentflow-runtime (>=1.1.0 <=1.4.0) +233 more potentially affected by CVE-2023-51232 via dagster (>=0.1.1 <=1.5.10)

dagster PYPI version =0.1.1, =0.0.0.dev0, =1.1.0, =0.1.0.dev419, =2.7.1, =2023.12.1, =0.0.1, =0.1.0, =0.0.1, =0.16.0, =0.4.0, =0.0.1, =0.0.1, =0.0.1, =0.0.3 and more Source cves: CVE-2023-51232 Source advisory: OSV:GHSA-Q93C-P2MW-P23F...

Dagster vulnerable to Path Traversal attack through its /logs endpoint

Directory Traversal vulnerability in dagster-webserver Dagster thru 1.5.10 allows remote attackers to obtain sensitive information via crafted request to the /logs endpoint. This may be restricted to certain file names that start with a dot '.'...

Dagster 安全漏洞

Dagster is a Dagster open source orchestration platform for developing, producing and observing data assets. A security vulnerability exists in Dagster 1.5.11 and earlier versions that stems from improper handling of the logs endpoint, which could lead to the disclosure of sensitive information...

CVE-2023-51232

Directory Traversal vulnerability in dagster-webserver Dagster thru 1.5.11 allows remote attackers to obtain sensitive information via crafted request to the /logs endpoint. This may be restricted to certain file names that start with a dot '.'...