Description
Improper neutralization of parameters in Snowflake CLI versions prior to 3.19 allowed unintended SQL execution. An attacker could exploit this by supplying crafted values to vulnerable command paths, causing Snowflake CLI to execute unintended SQL in the context of the user’s Snowflake session. Successful exploitation required crafted values to reach vulnerable parameters, including through socially engineered input, malicious repository configuration, or compromised automation feeding external values into the CLI, and impact is limited by the privileges assigned to the active session. The fix is available in Snowflake CLI version 3.19, and users must manually upgrade.
Published: 2026-06-29
Score: 6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of parameters in Snowflake CLI versions prior to 3.19 allows an attacker to inject and execute arbitrary SQL commands when vulnerable command paths are invoked. The injected SQL runs under the privileges of the active Snowflake session, so the impact is bounded by those privileges but could include data exfiltration, modification, or denial of service within the user’s workspace.

Affected Systems

The vulnerability affects Snowflake CLI products before version 3.19. Users running any earlier release of the Snowflake command‑line interface are exposed and should investigate whether they are operating from that older binary.

Risk and Exploitability

With a CVSS score of 6, the flaw is considered medium severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, indicating no publicly reported exploits at this time. Exploitation requires an attacker to supply crafted input through the CLI, typically via socially engineered command usage, malicious repository configuration, or compromised automation scripts that inject untrusted values into the CLI. Successful exploitation is possible only if the attacker can influence the command parameters, so limiting exposure to trusted inputs mitigates risk.

Generated by OpenCVE AI on June 29, 2026 at 18:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Snowflake CLI to version 3.19 or later
  • Validate or sanitize any external input that is passed to CMD parameters used by Snowflake CLI
  • Inspect and secure repository configurations and automation scripts that invoke Snowflake CLI to ensure they do not inject untrusted values

Generated by OpenCVE AI on June 29, 2026 at 18:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Snowflake
Snowflake snowflake Cli
Vendors & Products Snowflake
Snowflake snowflake Cli

Mon, 29 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 29 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Improper neutralization of parameters in Snowflake CLI versions prior to 3.19 allowed unintended SQL execution. An attacker could exploit this by supplying crafted values to vulnerable command paths, causing Snowflake CLI to execute unintended SQL in the context of the user’s Snowflake session. Successful exploitation required crafted values to reach vulnerable parameters, including through socially engineered input, malicious repository configuration, or compromised automation feeding external values into the CLI, and impact is limited by the privileges assigned to the active session. The fix is available in Snowflake CLI version 3.19, and users must manually upgrade.
Title Snowflake CLI SQL Injection Through Improper Neutralization of Parameters in Secret Creation and SPCS Service Log Commands
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 6, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N'}


Subscriptions

Snowflake Snowflake Cli
cve-icon MITRE

Status: PUBLISHED

Assigner: SNOWFLAKE

Published:

Updated: 2026-06-29T17:23:42.265Z

Reserved: 2026-06-29T16:23:15.621Z

Link: CVE-2026-13752

cve-icon Vulnrichment

Updated: 2026-06-29T17:23:39.004Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T10:04:10Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')