External Control of File Name or Path Affecting recce package, versions [,1.50.0)


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-PYTHON-RECCE-17816647
  • published4 Jul 2026
  • disclosed2 Jul 2026
  • creditUnknown

Introduced: 2 Jul 2026

NewCVE-2026-49360  (opens in a new tab)
CWE-73  (opens in a new tab)

How to fix?

Upgrade recce to version 1.50.0 or higher.

Overview

recce is an Environment diff tool for dbt

Affected versions of this package are vulnerable to External Control of File Name or Path via the query run API when configured with a DuckDB-backed project. An attacker can access or modify local files accessible to the server process, potentially leading to disclosure of sensitive files, tampering with artifacts, modification of static files resulting in stored XSS, or alteration of application files by sending crafted SQL queries that leverage DuckDB filesystem primitives. This is only exploitable if the server is exposed to an untrusted network without authentication.

Workaround

This vulnerability can be mitigated by enabling authentication, placing the server behind an authenticated reverse proxy or VPN, running the server as a non-root user, using a read-only application filesystem, and ensuring sensitive files or credentials are not accessible to the server process.

CVSS Base Scores

version 4.0
version 3.1