CVE 6.3 MEDIUM

Snowflake CLI Arbitrary Local File Read and Exfiltration Through Improper File Path Restriction_CVE-2026-13748

6.3 / 10
MEDIUM
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

Description

Improper restriction of file path resolution in Snowflake CLI versions prior to 3.19 allowed arbitrary local file content to be read and transmitted to Snowflake services. An attacker could exploit this by supplying crafted repository or project content that referenced files outside the intended project boundary, causing Snowflake CLI to read local files and upload or embed their contents during deployment or SQL template processing. Successful exploitation required the victim to process attacker-controlled project content, and retrieval of exfiltrated data depended on access to the victim's Snowflake account artifacts such as query history or uploaded stage content. The fix is available in Snowflake CLI version 3.19, and users must manually upgrade.

Basic Information

ID CVE-2026-13748
Source SNOWFLAKE
Published Jun 29, 2026 at 15:58
Modified Jun 29, 2026 at 16:20

Affected Product

Vendor Snowflake
Product Snowflake CLI
Version 0.2.2
Affected Versions Snowflake Snowflake CLI 0.2.2

CWE Classification

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.