CVE inventory
Source of truth: OpenCVE — vendor:snowflake. Cross-referenced against Snowflake's JDBC release notes and NVD. Re-scrape verified through 2026-05-15; the next watch window is the JDBC 2026 H2 cohort and any Snowflake-attributed entries posted to the OpenCVE feed.
High and medium severity — Snowflake-owned components
Applicability detail. Each CVE below carries
four operational fields: Affected (component and version
range), Trigger (the exposure condition that must be
true for the bug to fire — log level, OS, configuration flag),
Artifact (where the exploit's residue appears — the
log file, audit view, or on-host artifact a detection rule
reads), and Detection (the specific Sigma rule in this
pack that depends on the CVE's artifact). The applicability
matrix at
docs/analysis/snowflake-cve-applicability-matrix-2026.md
is the source-of-truth for entries marked [REQUIRES_TENANT]
— fields the vendor advisory does not enumerate.
| CVE | Component | CVSS | Summary, applicability, and detection |
|---|---|---|---|
| CVE-2026-6442 | Cortex Code CLI | 8.3 H |
Improper validation of shell commands — the agentic CLI executed a wget | sh-style command
issued via indirect prompt injection (malicious README in a reviewed repository). The executed script
read cached Snowflake tokens from disk and used them to issue arbitrary SQL. Disclosed by PromptArmor.
Affected: Cortex Code CLI all versions ≤ 1.0.24. Fixed in 1.0.25 (2026-02-28). Trigger: user runs Cortex Code against a prompt-injection-bearing input (malicious README.md, poisoned MCP tool output, hostile commit description). No special log level required.Artifact: (a) Cortex Code CLI session log at ~/.cortex/sessions/*.log records the tool-call name and the executed shell — observable via EDR file telemetry or shell history; (b) Snowflake LOGIN_HISTORY records a follow-on KEY_PAIR login from the attacker's source IP if cached tokens were exfiltrated.Detection: cortex_code_pre_1_0_25.yml (endpoint version-string) paired with cortex_code_session_to_unknown_session.yml (correlates the developer's Cortex Code session against a subsequent Snowflake login from a new source). Status: [VENDOR_PATCHED].
|
| CVE-2025-24789 | Snowflake JDBC | 7.8 H |
Untrusted search-path / writeable PATH directory on Windows. A local attacker who can plant a binary
earlier in PATH gains privilege escalation from the JDBC process.
Affected: Snowflake JDBC on Windows only. Affected version range [REQUIRES_TENANT] — not enumerated in the public NVD record; check the JDBC release-notes page for the patched build. Linux/macOS hosts are not in scope.Trigger: attacker can place an executable in a directory present in PATH before the legitimate binary's directory. Requires local write access to a PATH directory or PATH being writable by a non-admin user. Artifact: Windows Event Log 4688 process-creation event (or EDR equivalent) showing the JDBC process spawning an unexpected binary from a non-system directory. Detection: None in this pack; endpoint-side rule. Closest pairing is generic Windows path-precedence detection content outside this assessment. Status: [VENDOR_PATCHED], Windows-only.
|
| CVE-2023-30535 | Snowflake JDBC | 7.3 H |
Command injection via a malicious SSO server response. The JDBC driver passed an SSO redirect URL to a
local browser launcher without sanitization.
Affected: JDBC; fixed in 2023. Exact pre-fix minor version [REQUIRES_TENANT]. Risk reintroduces if a customer pins to a pre-fix JDBC version — common in long-lived warehouse pipelines.Trigger: user initiates an SSO login flow against an attacker-controlled IdP host (or against the legitimate IdP through an attacker-controlled network path). The driver passes the malicious redirect URL containing shell metacharacters to the local browser launcher. Artifact: on-host process-creation event (browser launcher invoked with an attacker-supplied URL); Snowflake LOGIN_HISTORY shows the resulting session if the chain succeeds.Detection: None platform-side; endpoint telemetry is the detection surface. SSO-redirect MITM is generally a host-side concern, not an ACCOUNT_USAGE one. Status: [VENDOR_PATCHED].
|
| CVE-2023-34232 | Snowflake Connector (Node.js) | 7.3 H |
Same class as CVE-2023-30535 — browser-launch command injection through the SSO redirect in the Node.js connector.
Affected: Node.js Connector; fixed in 2023. Trigger / Artifact / Detection: identical to CVE-2023-30535; check that all connectors in the stack (not just JDBC) are patched. Status: [VENDOR_PATCHED].
|
| CVE-2024-43382 | Snowflake JDBC | 5.9 M |
Client-side encryption silently disabled on PUT uploads under a specific configuration combination.
Data uploaded to external stages was sent unencrypted despite configuration intent.
Affected: Snowflake JDBC; specific affected range [REQUIRES_TENANT] — the vendor advisory names a configuration combination rather than a version.Trigger: customer has client_encryption_key_size = 0 or a related disabling config and uses PUT to an external stage. Data is uploaded unencrypted client-side despite the customer expecting encryption.Artifact: none in Snowflake audit (the data motion records as a normal PUT). Misconfiguration is observable in driver session logs at DEBUG level, in network capture (TLS to S3/Blob, but no client-side encryption envelope), and at the destination object's encryption metadata.Detection: none — this is a silent fail, not an active-exploit signal. Pair with periodic audits of client_encryption_key_size on every connection config. Status: [VENDOR_PATCHED].
|
| CVE-2022-35918 | Streamlit | 6.5 M |
Directory traversal via custom components. Affects both standalone Streamlit and the runtime bundled with Snowflake.
Affected: Streamlit custom components; version range [REQUIRES_TENANT] — verify SiS runtime version matches the patched release.Trigger: app loads a custom component whose path argument is user-controlled. Artifact: the traversed file's contents are surfaced to the attacker via the custom component's render output; Snowflake STREAMLIT app logs would surface the path argument app-side. Detection: none platform-side. App-side audit on the path argument. Status: [VENDOR_PATCHED].
|
| CVE-2023-27494 | Streamlit | 5.9 M |
Reflected XSS via URL parameter handling. Attackers can craft links that execute JavaScript in the context of a Streamlit app.
Affected: Streamlit URL-parameter handling; version range [REQUIRES_TENANT].Trigger: user clicks an attacker-crafted URL into a vulnerable Streamlit app. Artifact: browser-side execution in the user's session context. For Streamlit-in-Snowflake this gives the attacker the user's Snowflake session token. Detection: none platform-side. Status: [VENDOR_PATCHED].
|
| CVE-2026-33682 | Streamlit | 4.7 M |
SSRF on Windows via malicious UNC paths.
Affected: Streamlit (SiS and standalone), Windows-only. Affected version range [REQUIRES_TENANT].Trigger: app accepts a user-provided path that resolves to a UNC path on a Windows host. The Streamlit runtime fetches the UNC target, which can be on attacker-controlled SMB. Artifact: network outbound to attacker SMB; for SiS this is constrained by the SPCS egress policy (Chain H — an over-broad EAI makes this exploitable, an empty/scoped EAI does not). Detection: indirectly via Chain H content ( snowflake_spcs_eai_overbroad.yml + the Trail pair) — the SSRF would not reach the attacker without an EAI that permits it. Status: [VENDOR_PATCHED], Windows-only.
|
| CVE-2025-24791 | Snowflake Connector (Python) | 4.4 M |
Temporary credential cache written world-readable on Linux. A local user on a shared host can read another user's cached token.
Affected: Snowflake Connector for Python; affected versions ≤ 3.x prior to fix, exact minor [REQUIRES_TENANT]. Linux only — file-permission semantics differ on Windows.Trigger: Linux host has multiple local users; an attacker is one of the non-privileged users; the target user has previously authenticated and has a cached token in ~/.snowflake/. The attacker reads the cached token.Artifact: the cached credential file ( ~/.snowflake/credentials*) has world-readable mode. Audit-observable as a sudden Snowflake login from a user different from the owner of the credential cache. LOGIN_HISTORY shows the second login with the same auth_method but a different source-IP or session signature.Detection: indirectly via snowflake_keypair_auth_abuse.yml — the resulting login from an unexpected source is the actionable signal. The cred-cache theft itself is endpoint-side. Status: [VENDOR_PATCHED], Linux-only.
|
| CVE-2024-28851 | Hive MetaStore Connector | 4.0 M |
Elevation of privilege via content replacement in a helper script. Relevant to Iceberg-era Snowflake-Hive MetaStore deployments.
Affected: Snowflake Hive MetaStore Connector; affected versions [REQUIRES_TENANT].Trigger: attacker can write to a helper-script location the connector reads at install or first-run time. Local-host EoP. Artifact: on-host filesystem; process-creation events from the privileged install path running the modified helper. Detection: none platform-side. Status: [VENDOR_PATCHED].
|
Lower severity — connector stack secret-leakage cohort (2025)
These CVEs share a class: secrets written to debug logs, or race conditions on temporary files containing credentials. Individually low CVSS, but any Snowflake connector host with debug logging enabled leaks credentials to the log file — and log files are frequently shipped to a SIEM with broad read access.
| CVE | Component | Class |
|---|---|---|
| CVE-2025-27496 | Snowflake JDBC | Master key to debug log during GET/PUT |
| CVE-2025-46329 | Connector for C/C++ | Master key to debug log |
| CVE-2025-46326 | .NET Connector | TOCTOU race — logging-config verification |
| CVE-2025-46327 | Go connector (gosnowflake) | TOCTOU — logging-config |
| CVE-2025-46328 | Node.js Connector | TOCTOU — logging-config |
| CVE-2025-46330 | Connector for C/C++ | Malformed-request retry hang (DoS) |
| CVE-2026-3293 | Snowflake JDBC | ReDoS in proxy route handler |
| CVE-2022-42965 | Snowflake Connector | ReDoS in file-transfer type method |
Transitive driver-stack CVEs (JDBC 4.0.0 – 4.2.0)
Driver releases bundle dependency-CVE rollups that are not Snowflake-owned vulnerabilities but are surfaced via the connector stack and detectable through SBOM scanning. The 2026 JDBC releases (4.0.0 in Jan, 4.0.2 in Mar, 4.1.0 in Apr, 4.2.0 in May) shipped the following:
| CVE | Dependency | Class | Driver release |
|---|---|---|---|
| CVE-2025-67735 | Netty | HttpRequestEncoder CRLF injection | JDBC 4.0.0 |
| CVE-2025-8916 / 8885 | BouncyCastle | Multiple — incl. provider stability | JDBC 4.0.1 |
| CVE-2024-25710 / 26308 | Apache Commons Compress | DoS via crafted archive | JDBC 4.0.2 |
| CVE-2026-33870 | Netty | HTTP/1.1 chunked-encoding request smuggling | JDBC 4.1.0 |
| CVE-2026-33871 | Netty | HTTP/2 CONTINUATION frame flood (DoS) | JDBC 4.1.0 |
| CVE-2026-0636 | BouncyCastle | LDAP injection in LDAPStoreHelper | JDBC 4.2.0 |
| CVE-2026-5588 | BouncyCastle | PKIX module — improper signature validation | JDBC 4.2.0 |
| CVE-2026-5598 | BouncyCastle | FrodoKEM timing channel — private-key leak | JDBC 4.2.0 |
The total dependency-burden picture for the JDBC driver: nine transitive CVEs in five months of 2026 H1 releases. Customers running pinned old driver versions inherit each of these until the driver is rolled forward; an SBOM-aware program that tracks driver pinning across CI / orchestration hosts surfaces the exposed cohort.
Class-level chain: connector debug logs to SIEM-mediated credential theft
The "Lower severity" cohort above all share a low individual CVSS score, but a defender should model them as a single class with a credible exfil path. The class is "secrets land in a debug log file"; debug logs are routinely shipped to a SIEM via Fluent Bit, Filebeat, or vendor agents; SIEM read access is broadly granted across security and platform teams. The end-to-end chain:
- Confirm the customer ships connector logs to a SIEM (typical for Splunk-, Sentinel-, Chronicle-, or Datadog-tier security programs). The log-forwarding agent is configured at the host level — debug-level flags on the connector flow through unchanged.
- Identify any production host where the connector is running with a non-INFO log level —
JDBC, Python, .NET, Go, Node, C/C++ are all in the class. Common reasons for elevated
logging: a past incident debug session that was never reverted; a verbose dbt or Airflow
configuration; a developer's
SNOWFLAKE_LOG_LEVEL=DEBUGstill set in a CI template. - The CVE class — CVE-2025-27496, CVE-2025-46329, CVE-2025-46326/46327/46328 — causes the connector to write client-side-encryption master keys, cached tokens, or logging-config race state into the log file. These secrets now live wherever the SIEM stores indexed events.
- Compromise a user with SIEM read access — typically a much wider population than the set
with direct Snowflake access. SIEM read does not generate Snowflake audit events; the
exfil step is invisible to
LOGIN_HISTORYandQUERY_HISTORYuntil the attacker replays the harvested credential. - Pivot back into Snowflake with the harvested key or token — typically a service-user identity with no MFA and no network policy by default.
Detection: SIEM-side rules that flag the patterns
(
BEGIN PRIVATE KEY, JWT eyJ prefixes, RSA modulus headers, Snowflake
session-token shapes) in connector log streams; configuration-management baselines that ensure
log_level is INFO in every production driver config; periodic audit
of ~/.snowsql/log_file and connector log paths on CI hosts.
Vendor-fix pending CVE assignment
Tracked here so SBOM-aware programs can flag the affected client versions before formal CVE assignment lands. Both ship in the Snowflake Connector for Python and are visible in the release notes for the corresponding versions.
| Component | Fix release | Class | Recommended action |
|---|---|---|---|
| Snowflake Connector (Python) 4.5.0 | 2026-05-12 | Okta SAML port-comparison redirect — the validator accepted a non-default port that matched the configured Okta host on string compare but failed parsed-URL compare. | Upgrade from 4.4.x ahead of formal CVE assignment. |
| Snowflake Connector (Python) 4.5.0 | 2026-05-12 | OCSP-cache dynamic class deserialization removed from the cache-reload path. | Same upgrade path. |
| Snowflake Connector (Python) 4.4.0 | 2026-03-24 | Pulls cryptography 46.0.5 — transitive CVE-2026-26007 in the cryptography library. Not Snowflake-attributed but surfaces through the connector stack. |
SBOM scanners will flag — confirm pinned versions across CI and orchestration hosts. |
Ecosystem context — third-party SaaS token theft
Not a Snowflake CVE; recorded because the attack-surface picture is incomplete without it.
A public incident in April 2026 saw a third-party analytics-SaaS provider's Snowflake-access tokens
stolen and replayed against the provider's downstream customer warehouses. Snowflake's stance is that
no platform bug was exploited; the affected tokens were valid credentials issued to a partner
integration that sat outside the customer's own network policy and MFA controls.
The chain mirrors the 2024 UNC5537 pattern. The detection implication is the same as
Chain A: enforce a network policy with an egress allowlist for every
service user, including partner-integration users, so a stolen token from a third-party tenant cannot
be replayed from an attacker-controlled host.
A note on server-side CVE coverage
The CVE record is dominated by client-side components (drivers, connectors, the Cortex Code CLI).
Snowflake's multi-tenant service resolves server-side issues without CVEs. An assessment cannot rely on the
CVE database alone to characterize server-side risk; the Snowflake Trust Center and platform security
bulletins are the authoritative signal for service-side posture.