CVE-2026-15736
Received Received - Intake

SQL Injection in Snowflake SQLAlchemy

Vulnerability report for CVE-2026-15736, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-14

Last updated on: 2026-07-14

Assigner: 412d305a-227d-44f9-a262-a31ba44f2aea

Description

Snowflake SQLAlchemy versions prior to 1.11.0 contain several security vulnerabilities, including: Improper handling of user-supplied column identifiers in merge operations could allow SQL injection through attacker-controlled input keys. An attacker may be able to exploit this through request field names in a dynamic upsert endpoint, potentially enabling read access to data visible to the application's database role or modification of values within the same MERGE statement. Improper literal rendering of bound parameters when building certain Snowflake-specific table creation queries could allow SQL injection. An attacker may be able to exploit this by supplying a crafted string to any application endpoint that passes user-controlled data through the affected query-building API, potentially causing arbitrary data exfiltration within the scope of the connection role. Improper forwarding of connection configuration parameters could allow an attacker to cause the library to read arbitrary local files and transmit their contents to an attacker-controlled endpoint. An attacker may be able to exploit this in deployment environments that accept user-controlled connection parameters, potentially exposing sensitive files accessible to the application process. The fix is available in Snowflake SQLAlchemy version 1.11.0. Users must manually upgrade.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-14
Last Modified
2026-07-14
Generated
2026-07-14
AI Q&A
2026-07-14
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
snowflake snowflake_sqlalchemy to 1.11.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-73 The product allows user input to control or influence paths or file names that are used in filesystem operations.
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-15736 is a security vulnerability in Snowflake SQLAlchemy versions prior to 1.11.0. It involves multiple issues that could allow attackers to exploit the library in different ways.

  • Improper handling of user-supplied column identifiers in merge operations could lead to SQL injection. Attackers may exploit this through request field names in a dynamic upsert endpoint, potentially gaining read access to data visible to the application's database role or modifying values within the same MERGE statement.
  • Improper literal rendering of bound parameters when building certain Snowflake-specific table creation queries could allow SQL injection. Attackers may supply crafted strings to application endpoints that pass user-controlled data through the affected query-building API, potentially causing arbitrary data exfiltration within the scope of the connection role.
  • Improper forwarding of connection configuration parameters could allow attackers to read arbitrary local files and transmit their contents to an attacker-controlled endpoint. This may expose sensitive files accessible to the application process in environments that accept user-controlled connection parameters.

The vulnerability is fixed in Snowflake SQLAlchemy version 1.11.0, and users must manually upgrade to this version.

Impact Analysis

This vulnerability can have several serious impacts if exploited.

  • Attackers may gain unauthorized read access to sensitive data visible to your application's database role, potentially exposing confidential or personal information.
  • Attackers could modify data within MERGE statements, leading to data corruption or unauthorized changes to your database records.
  • SQL injection through crafted inputs could allow attackers to exfiltrate arbitrary data within the scope of your connection role, potentially exposing large amounts of sensitive information.
  • In deployment environments that accept user-controlled connection parameters, attackers may read arbitrary local files accessible to your application process and transmit their contents to an external endpoint, leading to further data breaches or system compromise.

The CVSS score of 8.3 indicates a high severity, meaning the vulnerability poses a significant risk to the confidentiality, integrity, and availability of your systems and data.

Compliance Impact

This vulnerability can significantly impact compliance with common standards and regulations in several ways.

  • GDPR (General Data Protection Regulation): If the vulnerability leads to unauthorized access or exfiltration of personal data of EU citizens, it could result in a data breach under GDPR. This may require mandatory reporting to authorities and affected individuals, potentially leading to fines of up to 4% of global annual revenue or €20 million, whichever is higher.
  • HIPAA (Health Insurance Portability and Accountability Act): If the affected system handles protected health information (PHI), exploitation of this vulnerability could lead to unauthorized access or disclosure of PHI. This would constitute a breach under HIPAA, requiring notification to affected individuals, the Department of Health and Human Services, and potentially the media. It could also result in significant fines and corrective action plans.
  • Other standards: The vulnerability could also affect compliance with other standards such as PCI DSS (Payment Card Industry Data Security Standard) if payment card data is exposed, or SOX (Sarbanes-Oxley Act) if financial data integrity is compromised. Non-compliance with these standards can lead to penalties, loss of certifications, or legal consequences.

Organizations must assess whether exploitation of this vulnerability could lead to a reportable breach under applicable regulations and take immediate steps to mitigate the risk by upgrading to the fixed version of Snowflake SQLAlchemy.

Detection Guidance

Detecting this vulnerability involves checking the version of Snowflake SQLAlchemy in use and inspecting how connection parameters are passed to the library. The vulnerability affects versions prior to 1.11.0.

  • Check the installed version of Snowflake SQLAlchemy using pip: pip show snowflake-sqlalchemy. If the version is below 1.11.0, the system is vulnerable.
  • Review application code or configuration files for instances where connection parameters (e.g., host, protocol, token_file_path, private_key_file) are passed via the URL query string instead of the connect_args parameter. For example, look for URLs like snowflake://user:password@account/?private_key_file=/path/to/key.
  • Inspect logs for plaintext exposure of sensitive connection parameters in URLs. This may indicate the vulnerability is being exploited or misconfigured.
  • Use static code analysis tools to scan for improper handling of user-supplied column identifiers in merge operations or dynamic upsert endpoints, which could allow SQL injection.
Mitigation Strategies

The primary mitigation for this vulnerability is to upgrade to Snowflake SQLAlchemy version 1.11.0 or later. Additional steps can further reduce risk.

  • Upgrade Snowflake SQLAlchemy immediately: pip install --upgrade snowflake-sqlalchemy>=1.11.0.
  • Ensure all connection parameters (e.g., host, protocol, token_file_path, private_key_file) are passed through the connect_args parameter in create_engine() rather than via the URL query string. For example: create_engine(url, connect_args={'private_key_file': '/path/to/key'}).
  • Review and update application code to avoid passing user-controlled data directly into merge operations or query-building APIs to prevent SQL injection.
  • Enable logging and monitor for unusual database queries or access patterns that may indicate exploitation attempts.
  • Restrict file system access for the application process to prevent arbitrary file reads if the vulnerability is exploited.
  • Validate and sanitize all user-supplied input, especially in dynamic SQL operations or endpoints that handle database queries.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15736. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart