CVE-2026-13746

Source
https://cve.org/CVERecord?id=CVE-2026-13746
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-13746.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-13746
Published
2026-06-29T15:51:57.399Z
Modified
2026-07-15T01:49:20.174909040Z
Severity
  • 3.6 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Summary
Snowflake CLI SQL Injection Through Improper Neutralization of Local CLI Parameters
Details

Improper neutralization of local CLI parameters in Snowflake CLI versions prior to 3.19 allowed unintended SQL execution. A user could trigger this issue by supplying crafted values to vulnerable Cortex SQL or object listing command paths, causing Snowflake CLI to execute unintended SQL in the context of that user's Snowflake session. Successful exploitation is constrained to self-injection because the vulnerable parameters were supplied directly through local CLI arguments rather than through project files, repositories, or other external input sources, and impact is limited to the privileges already available to the current session. The fix is available in Snowflake CLI version 3.19, and users must manually upgrade.

Database specific
{
    "cwe_ids": [
        "CWE-89"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/13xxx/CVE-2026-13746.json",
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "introduced": "2.0.0"
                },
                {
                    "fixed": "3.19.0"
                }
            ],
            "source": "AFFECTED_FIELD"
        }
    ],
    "cna_assigner": "SNOWFLAKE"
}
References

Affected packages

Git / github.com/snowflakedb/snowflake-cli

Affected ranges

Type
GIT
Repo
https://github.com/snowflakedb/snowflake-cli
Events
Database specific
{
    "cpe": "cpe:2.3:a:snowflake:snowflake_cli:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "2.0.0"
        },
        {
            "fixed": "3.19.0"
        }
    ],
    "source": "CPE_RANGE"
}

Affected versions

Other
dcm-prpr-20250804
v2.*
v2.0.0
v2.1.0-rc0
v2.2.0-rc0
v2.3.0-rc0
v2.7.0-rc0
v3.*
v3.0.0-rc2

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-13746.json"