Improper Code Neutralization in Snowflake CLI Products
CVE-2026-13749

8.8HIGH

Key Information:

Vendor: Snowflake
Status: Snowflake Cli
Vendor: CVE Published:; 29 June 2026

What is CVE-2026-13749?

The vulnerability in the Snowflake CLI arises from improper neutralization in the annotation processor callback template, which permits arbitrary code execution during the application's bundling or deployment phases. Attackers can exploit this weakness by providing specially crafted project content that is injected into generated Python scripts. If a user executes the deployment workflow involving the manipulated project content, the Snowflake CLI could inadvertently execute the attacker's code with the user's permissions. To mitigate this risk, users are encouraged to upgrade to Snowflake CLI version 3.19, where the vulnerability has been addressed.

Affected Version(s)

Snowflake CLI 2.4.0 < 3.19.0

References

https://community.snowflake.com/s/article/Snowflake-CLI-V...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 29, 2026
Vulnerability Reserved
Jun 29, 2026

CVE-2026-13749 Data

JSON