CVE-2026-15067

Source
https://cve.org/CVERecord?id=CVE-2026-15067
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-15067.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-15067
Published
2026-07-08T14:43:32.006Z
Modified
2026-07-15T01:48:56.404189345Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Multiple Security Vulnerabilities in Terraform Provider for Snowflake Could Allow Privilege Escalation and Unauthorized Snowflake Account Takeover
Details

Snowflake Terraform Provider versions prior to 2.18.0 contain several security vulnerabilities, including SQL injection via an unsanitized data source input could result in arbitrary SQL execution under the provider's privileged Snowflake session, potentially enabling sensitive data exfiltration and minting of long-lived access credentials. Exploitation requires the ability for an attacker to influence a workspace variable in a pipeline where this data source was enabled. Improper neutralization of identifier content in user resource inputs could allow DDL injection into user management statements, potentially causing accounts to be created with attacker-controlled credentials and without the security controls configured by the operator. The fix is available in Snowflake Terraform Provider version 2.18.0. Users must manually upgrade.

Database specific
{
    "cwe_ids": [
        "CWE-89"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/15xxx/CVE-2026-15067.json",
    "cna_assigner": "SNOWFLAKE"
}
References

Affected packages

Git / github.com/snowflakedb/terraform-provider-snowflake

Affected ranges

Type
GIT
Repo
https://github.com/snowflakedb/terraform-provider-snowflake
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "0.1.0"
        },
        {
            "fixed": "2.18.0"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

v0.*
v0.1.0
v0.10.0
v0.100.0
v0.11.0
v0.12.0
v0.12.1
v0.12.2
v0.13.0
v0.13.1
v0.13.2
v0.14.0
v0.15.0
v0.16.0
v0.17.1
v0.18.0
v0.18.1
v0.18.2
v0.19.0
v0.2.0
v0.20.0
v0.21.0
v0.21.0-pre+4e46151
v0.21.1
v0.21.2
v0.22.0
v0.23.0
v0.23.1
v0.23.2
v0.23.2-pre+f250b80
v0.23.2-pre+fe55bba
v0.23.2-pre+fe55bba.dirty
v0.23.3-pre+625f882
v0.24.0
v0.24.0-pre+b5d6cbb
v0.25.0
v0.25.0-pre+de07fe3
v0.25.1
v0.25.1-pre+590c22e
v0.25.10
v0.25.10-pre+632fd42
v0.25.11
v0.25.11-pre+8a08ee6
v0.25.11-pre+9b4c38b
v0.25.12
v0.25.12-pre+90b9f80
v0.25.13
v0.25.13-pre+fd97816
v0.25.14
v0.25.14-pre+4b213d1
v0.25.14-pre+a7fca9b
v0.25.15
v0.25.15-pre+c9cc806
v0.25.16
v0.25.16-pre+f28c7dc
v0.25.17
v0.25.17-pre+4b5aef6
v0.25.18
v0.25.18-pre+e9126a9
v0.25.19
v0.25.19-pre+e724575
v0.25.2
v0.25.2-pre+8b38400
v0.25.2-pre+febd3b1
v0.25.20
v0.25.20-pre+f0e59c0
v0.25.21
v0.25.21-pre+1873108
v0.25.22
v0.25.22-pre+9f747b5
v0.25.23
v0.25.23-pre+bde252e
v0.25.24
v0.25.24-pre+58aa3e7
v0.25.25
v0.25.25-pre+e136b1e
v0.25.26
v0.25.26-pre+6906760
v0.25.27
v0.25.27-pre+36a4f2e
v0.25.28
v0.25.28-pre+02a97e0
v0.25.28-pre+9082eb4
v0.25.29
v0.25.29-pre+8224954
v0.25.3
v0.25.3-pre+1e6c6eb
v0.25.30
v0.25.30-pre+e9768bf
v0.25.31
v0.25.31-pre+7f077f2
v0.25.32
v0.25.32-pre+bf286b4
v0.25.33
v0.25.33-pre+d17656f
v0.25.34
v0.25.34-pre+8acfd5f
v0.25.35
v0.25.35-pre+3b27905
v0.25.35-pre+5515443
v0.25.36
v0.25.4
v0.25.4-pre+14d8363
v0.25.4-pre+c58f9e1
v0.25.5
v0.25.5-pre+d2142fd
v0.25.6
v0.25.6-pre+b9d0e9e
v0.25.7
v0.25.7-pre+6b95dcb
v0.25.8
v0.25.8-pre+7f64bd3
v0.25.8-pre+7fab82f
v0.25.8-pre+fc3e78a
v0.25.9
v0.25.9-pre+3b44b74
v0.26.0
v0.26.1
v0.26.2
v0.26.3
v0.27.0
v0.28.0
v0.28.1
v0.28.2
v0.28.3
v0.28.4
v0.28.5
v0.28.6
v0.28.7
v0.28.8
v0.29.0
v0.3.0
v0.3.1
v0.30.0
v0.31.0
v0.32.0
v0.33.0
v0.33.1
v0.34.0
v0.35.0
v0.36.0
v0.37.0
v0.37.1
v0.38.0
v0.39.0
v0.4.0
v0.4.1
v0.40.0
v0.41.0
v0.42.0
v0.42.1
v0.43.0
v0.43.1
v0.44.0
v0.45.0
v0.46.0
v0.47.0
v0.48.0
v0.49.0
v0.5.0
v0.5.1
v0.5.2
v0.5.3
v0.50.0
v0.51.0
v0.52.0
v0.53.0
v0.54.0
v0.55.0
v0.55.1
v0.56.0
v0.56.1
v0.56.2
v0.56.3
v0.56.4
v0.56.5
v0.57.0
v0.58.0
v0.58.1
v0.58.2
v0.59.0
v0.6.0
v0.6.1
v0.6.2
v0.6.3
v0.6.4
v0.60.0
v0.61.0
v0.62.0
v0.63.0
v0.64.0
v0.65.0
v0.66.0
v0.66.1
v0.66.2
v0.67.0
v0.68.0
v0.68.1
v0.68.2
v0.69.0
v0.7.0
v0.70.0
v0.70.1
v0.71.0
v0.72.0
v0.73.0
v0.74.0
v0.75.0
v0.76.0
v0.77.0
v0.78.0
v0.79.0
v0.79.1
v0.8.0
v0.8.1
v0.80.0
v0.81.0
v0.82.0
v0.83.0
v0.83.1
v0.84.0
v0.84.1
v0.85.0
v0.86.0
v0.87.0
v0.87.1
v0.87.2
v0.87.3-pre
v0.88.0
v0.89.0
v0.9.0
v0.9.1
v0.9.2
v0.9.3
v0.90.0
v0.91.0
v0.92.0
v0.93.0
v0.94.0
v0.94.1
v0.95.0
v0.96.0
v0.97.0
v0.98.0
v0.99.0
v1.*
v1.0.0
v1.0.3
v1.0.4
v1.0.5
v1.1.0
v1.2.0
v1.2.1
v2.*
v2.0.0
v2.1.0
v2.10.0
v2.10.1
v2.11.0
v2.12.0
v2.13.0
v2.14.0
v2.15.0
v2.16.0
v2.17.0
v2.2.0
v2.3.0
v2.4.0
v2.5.0
v2.6.0
v2.7.0
v2.8.0
v2.9.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-15067.json"