Description
Improper neutralization of attacker-controlled content in Snowflake CLI versions prior to 3.19 allowed unintended SQL execution. By supplying crafted repository content, project configuration, manifest data, or specification input, an attacker could cause Snowflake CLI to execute unintended SQL in the context of the victim user's Snowflake session. Successful exploitation requires the victim to process attacker-controlled content through a vulnerable command path and is limited by the privileges assigned to that session. The fix is available in Snowflake CLI version 3.19. Users must manually upgrade.
Published: 2026-06-29
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of user-controlled content in Snowflake CLI allowed unintended SQL execution. An attacker could supply crafted repository, project, manifest, or specification data that, when processed by a vulnerable CLI command, caused the client to run SQL commands in the context of the victim’s Snowflake session. The impact is direct loss of confidentiality, integrity, and availability of the data accessible to that session, and the vulnerability is a classic input‑validation flaw (CWE‑89).

Affected Systems

Version of Snowflake CLI prior to 3.19 are affected. Users running Snowflake CLI 3.18 or older may fall victim if they process attacker‑controlled repository content, project settings, manifest files, or specification inputs. The fix is shipped in Snowflake CLI 3.19 and later, which properly sanitizes such inputs.

Risk and Exploitability

The CVSS score of 8.3 indicates a high severity. Exploitation requires the attacker to insert malicious content into a location that a user’s CLI command will read, and the attacker must also have a user session to which the CLI runs. Because the flaw is confined to the client, it does not allow arbitrary remote code execution on the Snowflake server, but it can be used to run arbitrary SQL as the victim, with privileges limited to those granted to the session. EPSS data is not available, and the vulnerability is not listed in CISA’s KEV catalog, so the known exploitation probability remains uncertain, yet the high CVSS and the fact that any victim can trigger it simply by running a command on compromised content make it a significant threat.

Generated by OpenCVE AI on June 29, 2026 at 17:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Snowflake CLI to version 3.19 or later
  • Ensure that any repository, project, manifest, or specification files processed by the CLI are from trusted, authenticated sources before any command execution
  • Implement or enforce stricter input validation for content paths read by Snowflake CLI to reject or sanitize unfamiliar or suspicious data

Generated by OpenCVE AI on June 29, 2026 at 17:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Snowflake
Snowflake snowflake Cli
Vendors & Products Snowflake
Snowflake snowflake Cli

Mon, 29 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 29 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
Description Improper neutralization of attacker-controlled content in Snowflake CLI versions prior to 3.19 allowed unintended SQL execution. By supplying crafted repository content, project configuration, manifest data, or specification input, an attacker could cause Snowflake CLI to execute unintended SQL in the context of the victim user's Snowflake session. Successful exploitation requires the victim to process attacker-controlled content through a vulnerable command path and is limited by the privileges assigned to that session. The fix is available in Snowflake CLI version 3.19. Users must manually upgrade.
Title Snowflake CLI SQL Injection Through Improper Neutralization of User-Controlled Input
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H'}


Subscriptions

Snowflake Snowflake Cli
cve-icon MITRE

Status: PUBLISHED

Assigner: SNOWFLAKE

Published:

Updated: 2026-06-29T16:23:42.013Z

Reserved: 2026-06-29T15:29:41.713Z

Link: CVE-2026-13744

cve-icon Vulnrichment

Updated: 2026-06-29T16:23:36.497Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T10:04:19Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')