CVE-2026-13744 HIGH

CVE-2026-13744: Snowflake CLI SQL Injection Through Improper Neutralization of User-Controlled Input

Vendor Snowflake
Product Snowflake CLI
Weakness CWE-89 · SQLi
Published June 29, 2026
Last update June 29, 2026

CVSS base score

8.3/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Improper neutralization of attacker-controlled content in Snowflake CLI versions prior to 3.19 allowed unintended SQL execution. By supplying crafted repository content, project configuration, manifest data, or specification input, an attacker could cause Snowflake CLI to execute unintended SQL in the context of the victim user's Snowflake session. Successful exploitation requires the victim to process attacker-controlled content through a vulnerable command path and is limited by the privileges assigned to that session. The fix is available in Snowflake CLI version 3.19. Users must manually upgrade.

Key dates

02Disclosure timeline

June 29, 2026 CVE published
June 29, 2026 Record updated