SQL Injection Vulnerability in Snowflake Snowpark Python SDK
CVE-2026-15062

9.6CRITICAL

Key Information:

Vendor

Snowflake

Vendor
CVE Published:
8 July 2026

What is CVE-2026-15062?

The Snowflake Snowpark Python SDK versions before 1.53.0 are susceptible to SQL injection attacks, allowing low-privilege authenticated users to execute unauthorized SQL queries. By exploiting these vulnerabilities, attackers can insert SQL payloads into database column names, potentially escalating their privileges through the DataFrameReader.dbapi() API. They might achieve this by manipulating the parameters in DataFrameWriter write methods or by bypassing sanitization via crafted export paths. Successful exploitation could lead to significant risks such as unauthorized access to sensitive database information and cross-tenant data exfiltration.

Affected Version(s)

Snowpark Python SDK 0.1.0 < 1.53.0

References

CVSS V3.1

Score:
9.6
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.