Description
Insertion of sensitive information into log files in Snowflake CLI versions prior to 3.19 allowed plaintext credentials to be written to persistent local debug logs. An attacker could exploit this by obtaining read access to the affected user's local log files, causing credentials such as passwords, tokens, or private key material to be exposed without additional application-level safeguards. Successful exploitation requires credentials to be present in the affected connection context and the resulting logs to be accessible from the local environment. The fix is available in Snowflake CLI version 3.19, and users must manually upgrade.
Published: 2026-06-29
Score: 5.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from the Snowflake CLI writing plaintext sensitive credentials—such as passwords, tokens, or private key material—to persistent local debug logs in versions before 3.19. If an attacker can read those logs, the exposed information can be used to impersonate the user or gain unauthorized access to Snowflake resources. This is a classic information disclosure flaw (CWE‑532) that does not affect the CLI runtime itself but compromises credential confidentiality.

Affected Systems

All Snowflake CLI environments running a version earlier than 3.19 are affected. The product is Snowflake CLI, version 3.18 and below.

Risk and Exploitability

The CVSS score of 5.5 places the vulnerability in the medium severity range. EPSS data is not provided, and the flaw is not listed in the CISA KEV catalog, suggesting a lower probability of active exploitation. However, the attack requires local read access to the user’s log files, so systems that expose these logs to potential adversaries or have weak file‑system permissions face a higher risk. Once the logs are accessed, credentials are exposed in plaintext without additional mitigation from the application.

Generated by OpenCVE AI on June 29, 2026 at 17:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Snowflake CLI to version 3.19 or later.
  • If an upgrade is not immediately possible, delete or securely archive the existing debug log files and change their permissions to restrict read access to the minimum necessary users.
  • Implement file‑system access controls to prevent unauthorized users from reading the CLI’s log directory.
  • Configure the CLI or environment to disable debug logging if it is not required for troubleshooting.

Generated by OpenCVE AI on June 29, 2026 at 17:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
Description Insertion of sensitive information into log files in Snowflake CLI versions prior to 3.19 allowed plaintext credentials to be written to persistent local debug logs. An attacker could exploit this by obtaining read access to the affected user's local log files, causing credentials such as passwords, tokens, or private key material to be exposed without additional application-level safeguards. Successful exploitation requires credentials to be present in the affected connection context and the resulting logs to be accessible from the local environment. The fix is available in Snowflake CLI version 3.19, and users must manually upgrade.
Title Snowflake CLI Sensitive Credential Exposure Through Debug Logging
Weaknesses CWE-532
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: SNOWFLAKE

Published:

Updated: 2026-06-29T16:17:31.579Z

Reserved: 2026-06-29T16:05:05.584Z

Link: CVE-2026-13750

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T17:30:06Z

Weaknesses
  • CWE-532

    Insertion of Sensitive Information into Log File