CVE-2026-13751
Received Received - Intake

Server-Side Request Forgery in Snowflake CLI

Publication date: 2026-06-29

Last updated on: 2026-06-29

Assigner: 412d305a-227d-44f9-a262-a31ba44f2aea

Description
Improper handling of untrusted remote references in Snowflake CLI versions prior to 3.19 allowed server-side request forgery. The SQL statement reader's !source/!load directives could reference remote URLs that were retrieved at runtime without sufficient restriction on the request destination. By supplying crafted SQL content processed through a vulnerable command path, an attacker could cause the victim's environment to issue unintended outbound requests to internal or otherwise non-public network locations, and could cause remote SQL content to be retrieved and executed in the context of the victim user's session. Successful exploitation requires the victim to process attacker-controlled content through a vulnerable command path and is limited by the privileges available to that session and environment. The fix is available in Snowflake CLI version 3.19, which adds an option to disable remote URL retrieval.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-29
Last Modified
2026-06-29
Generated
2026-06-29
AI Q&A
2026-06-29
EPSS Evaluated
N/A
NVD
CVE-2026-13751
EUVD
EUVD-2026-40147

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
snowflake snowflake_cli to 3.19 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
CWE-829 The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Snowflake CLI versions prior to 3.19 and involves improper handling of untrusted remote references. Specifically, the SQL statement reader's !source/!load directives could reference remote URLs that were retrieved at runtime without sufficient restrictions on where the requests could be sent.

An attacker could supply crafted SQL content that, when processed through a vulnerable command path, causes the victim's environment to issue unintended outbound requests to internal or non-public network locations. Additionally, remote SQL content could be retrieved and executed within the victim user's session context.

Successful exploitation requires the victim to process attacker-controlled content and is limited by the privileges of the session and environment. The issue is fixed in Snowflake CLI version 3.19, which adds an option to disable remote URL retrieval.

Impact Analysis

This vulnerability can impact you by allowing an attacker to cause your environment to make unintended outbound requests to internal or otherwise non-public network locations, potentially exposing sensitive internal resources.

Additionally, the attacker could cause remote SQL content to be retrieved and executed within your user session, which could lead to unauthorized actions or data exposure depending on the privileges of the session.

The impact is limited by the privileges available to the session and environment where the vulnerability is exploited.

Mitigation Strategies

To mitigate this vulnerability, upgrade Snowflake CLI to version 3.19 or later.

Version 3.19 adds an option to disable remote URL retrieval, which prevents the exploitation of the improper handling of untrusted remote references.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-13751. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart