File Path Resolution Vulnerability in Snowflake CLI by Snowflake
CVE-2026-13748

6.3MEDIUM

Key Information:

Vendor: Snowflake
Status: Snowflake Cli
Vendor: CVE Published:; 29 June 2026

What is CVE-2026-13748?

An improper restriction in the file path resolution mechanism of Snowflake CLI versions prior to 3.19 allows for arbitrary local file content to be read and transmitted to Snowflake services. Malicious users can exploit this vulnerability by crafting project content that references files outside the designated project structure. This allows the Snowflake CLI to access local files, which can be uploaded or embedded during SQL template processes. Successful exploitation necessitates that the victim processes the crafted content and access to the victim's Snowflake account artifacts, such as query history or uploaded stages, is required for data retrieval. Users are advised to upgrade to Snowflake CLI version 3.19 to mitigate this security risk.

Affected Version(s)

Snowflake CLI 0.2.2 < 3.19.0

References

https://community.snowflake.com/s/article/Snowflake-CLI-V...

CVSS V3.1

Score:

6.3

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 29, 2026
Vulnerability Reserved
Jun 29, 2026

CVE-2026-13748 Data

JSON