CVE-2026-13748

Source
https://cve.org/CVERecord?id=CVE-2026-13748
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-13748.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-13748
Published
2026-06-29T15:58:00.158Z
Modified
2026-07-15T01:48:56.322084927Z
Severity
  • 6.3 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N CVSS Calculator
Summary
Snowflake CLI Arbitrary Local File Read and Exfiltration Through Improper File Path Restriction
Details

Improper restriction of file path resolution in Snowflake CLI versions prior to 3.19 allowed arbitrary local file content to be read and transmitted to Snowflake services. An attacker could exploit this by supplying crafted repository or project content that referenced files outside the intended project boundary, causing Snowflake CLI to read local files and upload or embed their contents during deployment or SQL template processing. Successful exploitation required the victim to process attacker-controlled project content, and retrieval of exfiltrated data depended on access to the victim's Snowflake account artifacts such as query history or uploaded stage content. The fix is available in Snowflake CLI version 3.19, and users must manually upgrade.

Database specific
{
    "cna_assigner": "SNOWFLAKE",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/13xxx/CVE-2026-13748.json",
    "cwe_ids": [
        "CWE-22",
        "CWE-61",
        "CWE-73"
    ],
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "introduced": "0.2.2"
                },
                {
                    "fixed": "3.19.0"
                }
            ]
        }
    ]
}
References

Affected packages

Git / github.com/snowflakedb/snowflake-cli

Affected ranges

Type
GIT
Repo
https://github.com/snowflakedb/snowflake-cli
Events
Database specific
{
    "cpe": "cpe:2.3:a:snowflake:snowflake_cli:*:*:*:*:*:*:*:*",
    "source": "CPE_RANGE",
    "extracted_events": [
        {
            "introduced": "0.2.2"
        },
        {
            "fixed": "3.19.0"
        }
    ]
}

Affected versions

Other
dcm-prpr-20250804
na-preview
v0.*
v0.2.2
v0.2.3
v0.2.4
v0.2.5
v0.2.7
v0.2.8
v0.2.9
v1.*
v1.0.0
v1.0.1
v1.0.1-rc1
v1.0.1-rc2
v1.1.0
v1.1.0-rc1
v2.*
v2.0.0
v2.0.0-alpha.1
v2.0.0-alpha.2
v2.0.0-alpha.3
v2.0.0rc0
v2.0.0rc1
v2.0.0rc2
v2.0.0rc3
v2.1.0-rc0
v2.2.0-rc0
v2.3.0-rc0
v2.7.0-rc0
v3.*
v3.0.0-rc2

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-13748.json"