CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-13746

lowCVSS 3.6covered by 1 sourcefirst seen 2026-06-29
Improper neutralization of local CLI parameters in Snowflake CLI versions prior to 3.19 allowed unintended SQL execution. A user could trigger this issue by supplying crafted values to vulnerable Cortex SQL or object listing command paths, causing Snowflake CLI to execute unintended SQL in the context of that user's Snowflake session. Successful exploitation is constrained to self-injection because the vulnerable parameters were supplied directly through local CLI arguments rather than through project files, repositories, or other external input sources, and impact is limited to the privileges already available to the current session. The fix is available in Snowflake CLI version 3.19, and users must manually upgrade.

⚡ Watch CVE-2026-13746

Get an email if CVE-2026-13746 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-13746

CVE.org record

Embed the live status

CVE-2026-13746 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-13746 status](https://www.csirts.com/badge/CVE-2026-13746)](https://www.csirts.com/cve/CVE-2026-13746)