Impact
Snowflake CLI versions prior to 3.19 suffered from improper neutralization of local CLI parameters, allowing either Cortex SQL or object listing commands to be built with user‑supplied values that were treated as executable SQL. The flaw does not grant new privileges; it simply lets a local user run unintended SQL statements in the context of their existing Snowflake session, because the vulnerable arguments are provided directly on the command line rather than from external files or repositories.
Affected Systems
The affected product is the Snowflake CLI, all versions preceding 3.19. Users employing the CLI for local command execution where parameters are supplied via the command line are at risk.
Risk and Exploitability
The CVSS score of 3.6 indicates low severity. With no EPSS data and no listing in the CISA KEV catalogue, public exploitation is unlikely. The attack vector is local: a malicious user with access to the machine must invoke the CLI with crafted parameters. Impact is limited to the privileges of the current session, so only users who already have database access can cause further unintended actions.
OpenCVE Enrichment