SQL Injection Vulnerability in Snowflake Snowpark Python SDK
CVE-2026-15062
9.6CRITICAL
What is CVE-2026-15062?
The Snowflake Snowpark Python SDK versions before 1.53.0 are susceptible to SQL injection attacks, allowing low-privilege authenticated users to execute unauthorized SQL queries. By exploiting these vulnerabilities, attackers can insert SQL payloads into database column names, potentially escalating their privileges through the DataFrameReader.dbapi() API. They might achieve this by manipulating the parameters in DataFrameWriter write methods or by bypassing sanitization via crafted export paths. Successful exploitation could lead to significant risks such as unauthorized access to sensitive database information and cross-tenant data exfiltration.
Affected Version(s)
Snowpark Python SDK 0.1.0 < 1.53.0
