CVE-2026-13746
LowCVSS 3.6Exploitation Probability (EPSS)
Low risk2th percentile — higher than 2% of all known CVEs
Summary
Snowflake CLI versions prior to 3.19 contain a vulnerability due to improper neutralization of local CLI parameters, allowing unintended SQL execution. An attacker could exploit this by supplying crafted values to vulnerable Cortex SQL or object listing command paths, causing unintended SQL execution in the context of the user's Snowflake session.
Risk Assessment
The risk is limited to self-injection because the vulnerable parameters are supplied directly through local CLI arguments, not from project files or external sources. Successful exploitation can lead to SQL operations within the existing privileges of the user's session.
Recommendation
Upgrade Snowflake CLI to version 3.19 or later, which contains the fix for this vulnerability. The upgrade must be performed manually by the administrator.
Original NVD description (English source)
Improper neutralization of local CLI parameters in Snowflake CLI versions prior to 3.19 allowed unintended SQL execution. A user could trigger this issue by supplying crafted values to vulnerable Cortex SQL or object listing command paths, causing Snowflake CLI to execute unintended SQL in the context of that user's Snowflake session. Successful exploitation is constrained to self-injection because the vulnerable parameters were supplied directly through local CLI arguments rather than through project files, repositories, or other external input sources, and impact is limited to the privileges already available to the current session. The fix is available in Snowflake CLI version 3.19, and users must manually upgrade.

