Server-Side Request Forgery in Snowflake CLI by Snowflake
CVE-2026-13751

4.1MEDIUM

Key Information:

Vendor: Snowflake
Status: Snowflake Cli
Vendor: CVE Published:; 29 June 2026

What is CVE-2026-13751?

The Snowflake CLI versions prior to 3.19 are susceptible to server-side request forgery due to improper management of untrusted remote references. This vulnerability allows crafted SQL statements to reference unrestricted remote URLs that might be executed within the context of a victim user's session. When processed through a vulnerable command path, an attacker could potentially manipulate the victim's environment into issuing unintended outbound requests to internal or restricted network locations, thereby executing malicious SQL content. The exploit requires the victim to inadvertently execute attacker-controlled content, with the implications being constrained by the session and environment privileges. Snowflake addressed this issue in version 3.19 by introducing an option to disable remote URL retrieval.

Affected Version(s)

Snowflake CLI 3.6.0 < 3.19.0

References

https://community.snowflake.com/s/article/Snowflake-CLI-V...

CVSS V3.1

Score:

4.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 29, 2026
Vulnerability Reserved
Jun 29, 2026

CVE-2026-13751 Data

JSON