Description
Improper neutralization of local CLI parameters in Snowflake CLI versions prior to 3.19 allowed unintended SQL execution. A user could trigger this issue by supplying crafted values to vulnerable Cortex SQL or object listing command paths, causing Snowflake CLI to execute unintended SQL in the context of that user's Snowflake session. Successful exploitation is constrained to self-injection because the vulnerable parameters were supplied directly through local CLI arguments rather than through project files, repositories, or other external input sources, and impact is limited to the privileges already available to the current session. The fix is available in Snowflake CLI version 3.19, and users must manually upgrade.
Published: 2026-06-29
Score: 3.6 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Snowflake CLI versions prior to 3.19 suffered from improper neutralization of local CLI parameters, allowing either Cortex SQL or object listing commands to be built with user‑supplied values that were treated as executable SQL. The flaw does not grant new privileges; it simply lets a local user run unintended SQL statements in the context of their existing Snowflake session, because the vulnerable arguments are provided directly on the command line rather than from external files or repositories.

Affected Systems

The affected product is the Snowflake CLI, all versions preceding 3.19. Users employing the CLI for local command execution where parameters are supplied via the command line are at risk.

Risk and Exploitability

The CVSS score of 3.6 indicates low severity. With no EPSS data and no listing in the CISA KEV catalogue, public exploitation is unlikely. The attack vector is local: a malicious user with access to the machine must invoke the CLI with crafted parameters. Impact is limited to the privileges of the current session, so only users who already have database access can cause further unintended actions.

Generated by OpenCVE AI on June 29, 2026 at 17:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Snowflake CLI to version 3.19 or later, which removes the improper parameter handling.
  • Configure role‑based access controls so that only trusted users can execute arbitrary SQL via the CLI.
  • Enable and review audit logging of CLI commands to detect any anomalous SQL execution patterns.

Generated by OpenCVE AI on June 29, 2026 at 17:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Snowflake
Snowflake snowflake Cli
Vendors & Products Snowflake
Snowflake snowflake Cli

Mon, 29 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 29 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
Description Improper neutralization of local CLI parameters in Snowflake CLI versions prior to 3.19 allowed unintended SQL execution. A user could trigger this issue by supplying crafted values to vulnerable Cortex SQL or object listing command paths, causing Snowflake CLI to execute unintended SQL in the context of that user's Snowflake session. Successful exploitation is constrained to self-injection because the vulnerable parameters were supplied directly through local CLI arguments rather than through project files, repositories, or other external input sources, and impact is limited to the privileges already available to the current session. The fix is available in Snowflake CLI version 3.19, and users must manually upgrade.
Title Snowflake CLI SQL Injection Through Improper Neutralization of Local CLI Parameters
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 3.6, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N'}


Subscriptions

Snowflake Snowflake Cli
cve-icon MITRE

Status: PUBLISHED

Assigner: SNOWFLAKE

Published:

Updated: 2026-06-29T16:21:58.031Z

Reserved: 2026-06-29T15:41:42.790Z

Link: CVE-2026-13746

cve-icon Vulnrichment

Updated: 2026-06-29T16:21:54.967Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T10:04:18Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')