SQL Injection and DDL Injection Vulnerabilities in Snowflake Terraform Provider
CVE-2026-15067
What is CVE-2026-15067?
The Snowflake Terraform Provider prior to version 2.18.0 is susceptible to multiple security vulnerabilities, notably enabling SQL injection through an unsanitized data source input. This flaw allows for the execution of arbitrary SQL commands within the provider's privileged Snowflake session, which can lead to unauthorized access and sensitive data exfiltration. Furthermore, deficiencies in identifier content neutralization in user resource inputs may permit DDL injection into user management statements. This could enable attackers to create accounts with their own credentials, bypassing any security measures established by operators. An upgrade to version 2.18.0 or above is necessary to mitigate these vulnerabilities.
Affected Version(s)
Terraform Provider for Snowflake 0.1.0 < 2.18.0
