CVE-2026-13748

Improper restriction of file path resolution in Snowflake CLI versions prior to 3.19 allowed arbitrary local file content to be read and transmitted to Snowflake services. An attacker could exploit this by supplying crafted repository or project content that referenced files outside the intended project boundary, causing Snowflake CLI to read local files and upload or embed their contents during deployment or SQL template processing. Successful exploitation required the victim to process attacker-controlled project content, and retrieval of exfiltrated data depended on access to the victim's Snowflake account artifacts such as query history or uploaded stage content. The fix is available in Snowflake CLI version 3.19, and users must manually upgrade.

CVSS v3 6.3 MEDIUM

6.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 4.0

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://community.snowflake.com/s/article/Snowflake-CLI-Vulnerability-Advisory	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:snowflake:snowflake_cli:*:*:*:*:*:*:*:*

History

30 Jun 2026, 16:09

Type	Values Removed	Values Added
First Time		Snowflake Snowflake snowflake Cli
CPE		cpe:2.3:a:snowflake:snowflake_cli::::::::
References	~~() https://community.snowflake.com/s/article/Snowflake-CLI-Vulnerability-Advisory -~~	() https://community.snowflake.com/s/article/Snowflake-CLI-Vulnerability-Advisory - Vendor Advisory

29 Jun 2026, 16:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-06-29 16:16

Updated : 2026-06-30 16:09

NVD link : CVE-2026-13748

Mitre link : CVE-2026-13748

CVE.ORG link : CVE-2026-13748

JSON object : View

Products Affected

snowflake

snowflake_cli

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-61

UNIX Symbolic Link (Symlink) Following

CWE-73

External Control of File Name or Path

{"id": "CVE-2026-13748", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2026-13748", "role": "CISA Coordinator", "options": [{"exploitation": "none"}, {"automatable": "no"}, {"technicalImpact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-29T16:20:50.026529Z"}}], "cvssMetricV31": [{"type": "Secondary", "source": "412d305a-227d-44f9-a262-a31ba44f2aea", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.0, "exploitabilityScore": 1.8}]}, "affected": [{"source": "412d305a-227d-44f9-a262-a31ba44f2aea", "affectedData": [{"vendor": "Snowflake", "product": "Snowflake CLI", "versions": [{"status": "affected", "version": "0.2.2", "lessThan": "3.19.0", "versionType": "semver"}], "defaultStatus": "unaffected"}]}], "published": "2026-06-29T16:16:39.517", "references": [{"url": "https://community.snowflake.com/s/article/Snowflake-CLI-Vulnerability-Advisory", "tags": ["Vendor Advisory"], "source": "412d305a-227d-44f9-a262-a31ba44f2aea"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "412d305a-227d-44f9-a262-a31ba44f2aea", "description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-61"}, {"lang": "en", "value": "CWE-73"}]}], "descriptions": [{"lang": "en", "value": "Improper restriction of file path resolution in Snowflake CLI versions prior to 3.19 allowed arbitrary local file content to be read and transmitted to Snowflake services. An attacker could exploit this by supplying crafted repository or project content that referenced files outside the intended project boundary, causing Snowflake CLI to read local files and upload or embed their contents during deployment or SQL template processing. Successful exploitation required the victim to process attacker-controlled project content, and retrieval of exfiltrated data depended on access to the victim's Snowflake account artifacts such as query history or uploaded stage content. The fix is available in Snowflake CLI version 3.19, and users must manually upgrade."}], "lastModified": "2026-06-30T16:09:36.913", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:snowflake:snowflake_cli:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B7273C8A-C77C-47EC-8269-5C8542894BE4", "versionEndExcluding": "3.19.0", "versionStartIncluding": "0.2.2"}], "operator": "OR"}]}], "sourceIdentifier": "412d305a-227d-44f9-a262-a31ba44f2aea"}