← volver
CVE-2026-13746

Snowflake CLI SQL Injection Through Improper Neutralization of Local CLI Parameters

CVSS 3.6 LOWEPSS 0.1%CWE-89
Vexday Risk Score
8Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS 3.6EPSS 0.1%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
29 jun 2026Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
Improper neutralization of local CLI parameters in Snowflake CLI versions prior to 3.19 allowed unintended SQL execution. A user could trigger this issue by supplying crafted values to vulnerable Cortex SQL or object listing command paths, causing Snowflake CLI to execute unintended SQL in the context of that user's Snowflake session. Successful exploitation is constrained to self-injection because the vulnerable parameters were supplied directly through local CLI arguments rather than through project files, repositories, or other external input sources, and impact is limited to the privileges already available to the current session. The fix is available in Snowflake CLI version 3.19, and users must manually upgrade.
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
Productos afectados
Snowflake · Snowflake CLI

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →