SQL Injection and DDL Injection Vulnerabilities in Snowflake Terraform Provider
CVE-2026-15067

8.8HIGH

Key Information:

Vendor

Snowflake

Vendor
CVE Published:
8 July 2026

What is CVE-2026-15067?

The Snowflake Terraform Provider prior to version 2.18.0 is susceptible to multiple security vulnerabilities, notably enabling SQL injection through an unsanitized data source input. This flaw allows for the execution of arbitrary SQL commands within the provider's privileged Snowflake session, which can lead to unauthorized access and sensitive data exfiltration. Furthermore, deficiencies in identifier content neutralization in user resource inputs may permit DDL injection into user management statements. This could enable attackers to create accounts with their own credentials, bypassing any security measures established by operators. An upgrade to version 2.18.0 or above is necessary to mitigate these vulnerabilities.

Affected Version(s)

Terraform Provider for Snowflake 0.1.0 < 2.18.0

References

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.