CVE-2026-13746
Received Received - Intake

Improper CLI Parameter Handling in Snowflake CLI

Publication date: 2026-06-29

Last updated on: 2026-06-29

Assigner: 412d305a-227d-44f9-a262-a31ba44f2aea

Description
Improper neutralization of local CLI parameters in Snowflake CLI versions prior to 3.19 allowed unintended SQL execution. A user could trigger this issue by supplying crafted values to vulnerable Cortex SQL or object listing command paths, causing Snowflake CLI to execute unintended SQL in the context of that user's Snowflake session. Successful exploitation is constrained to self-injection because the vulnerable parameters were supplied directly through local CLI arguments rather than through project files, repositories, or other external input sources, and impact is limited to the privileges already available to the current session. The fix is available in Snowflake CLI version 3.19, and users must manually upgrade.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-29
Last Modified
2026-06-29
Generated
2026-06-29
AI Q&A
2026-06-29
EPSS Evaluated
N/A
NVD
CVE-2026-13746
EUVD
EUVD-2026-40132

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
snowflake snowflake_cli to 3.19 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability involves improper neutralization of local command-line interface (CLI) parameters in Snowflake CLI versions prior to 3.19. It allows a user to supply specially crafted values to certain SQL or object listing command paths, which causes the Snowflake CLI to execute unintended SQL commands within the context of the user's Snowflake session.

The issue is limited to self-injection because the vulnerable parameters come directly from local CLI arguments, not from external sources like project files or repositories.

The vulnerability was fixed in Snowflake CLI version 3.19, and users need to manually upgrade to this version to resolve the issue.

Impact Analysis

Exploitation of this vulnerability can lead to unintended SQL execution within the user's Snowflake session.

However, the impact is limited to the privileges already granted to the current session, meaning an attacker cannot escalate privileges beyond what the user already has.

Because the vulnerability only allows self-injection via local CLI parameters, it does not enable remote or external attackers to exploit it.

Mitigation Strategies

To mitigate this vulnerability, you should manually upgrade the Snowflake CLI to version 3.19 or later, where the issue has been fixed.

Compliance Impact

This vulnerability allows unintended SQL execution within the context of the user's Snowflake session, limited to the privileges of that session. Since the impact is constrained to self-injection and does not involve external input sources or privilege escalation, the risk of unauthorized data access or data breach is limited.

However, any unintended SQL execution that affects data confidentiality or integrity could potentially impact compliance with standards like GDPR or HIPAA, which require protection of personal and sensitive data. Organizations using vulnerable versions of Snowflake CLI should upgrade to version 3.19 to mitigate this risk and maintain compliance.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-13746. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart