Improper neutralization of attacker-controlled content in Snowflake CLI versions prior to 3.19 allowed unintended SQL execution. By supplying crafted repository content, project configuration, manifest data, or specification input, an attacker could cause Snowflake CLI to execute unintended SQL in the context of the victim user's Snowflake session. Successful exploitation requires the victim to process attacker-controlled content through a vulnerable command path and is limited by the privileges assigned to that session. The fix is available in Snowflake CLI version 3.19. Users must manually upgrade.
History

Wed, 01 Jul 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Snowflake
Snowflake snowflake Cli
Vendors & Products Snowflake
Snowflake snowflake Cli

Mon, 29 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 29 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
Description Improper neutralization of attacker-controlled content in Snowflake CLI versions prior to 3.19 allowed unintended SQL execution. By supplying crafted repository content, project configuration, manifest data, or specification input, an attacker could cause Snowflake CLI to execute unintended SQL in the context of the victim user's Snowflake session. Successful exploitation requires the victim to process attacker-controlled content through a vulnerable command path and is limited by the privileges assigned to that session. The fix is available in Snowflake CLI version 3.19. Users must manually upgrade.
Title Snowflake CLI SQL Injection Through Improper Neutralization of User-Controlled Input
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: SNOWFLAKE

Published: 2026-06-29T15:40:47.721Z

Updated: 2026-06-29T16:23:42.013Z

Reserved: 2026-06-29T15:29:41.713Z

Link: CVE-2026-13744

cve-icon Vulnrichment

Updated: 2026-06-29T16:23:36.497Z

cve-icon NVD

No data.

cve-icon Redhat

No data.