Improper Neutralization in Snowflake CLI Allows Unauthorized SQL Execution
CVE-2026-13746

3.6LOW

Key Information:

Vendor: Snowflake
Status: Snowflake Cli
Vendor: CVE Published:; 29 June 2026

What is CVE-2026-13746?

An improper neutralization of local Command Line Interface (CLI) parameters in Snowflake CLI versions prior to 3.19 created a vulnerability that permitted unintended SQL execution. By supplying specially crafted inputs to vulnerable command paths, users could inadvertently trigger the execution of unintended SQL within their own Snowflake session. The exploitation is confined to self-injection since the parameters are provided directly through local CLI arguments, without reliance on external files or repositories. This limits the impact to the existing privileges of the user’s session. Users are encouraged to upgrade to Snowflake CLI version 3.19 or later to mitigate the issue.

Affected Version(s)

Snowflake CLI 2.0.0 < 3.19.0

References

https://community.snowflake.com/s/article/Snowflake-CLI-V...

CVSS V3.1

Score:

3.6

Severity:

LOW

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 29, 2026
Vulnerability Reserved
Jun 29, 2026

CVE-2026-13746 Data

JSON