Back to overview

CVE-2026-15062

CRITICAL
9.6
CVSS 3.1
Description
SQL injection vulnerabilities in the Snowflake Snowpark Python SDK (snowpark-python) versions prior to 1.53.0 could allow authenticated low-privilege users to execute SQL beyond their authorization scope. An attacker could exploit these vulnerabilities by embedding SQL payloads in source database column names to escalate privileges via the DataFrameReader.dbapi() API by supplying a specially crafted location parameter to DataFrameWriter write methods to redirect a COPY INTO to an arbitrary source query, or by including a backslash-single-quote sequence in an export path to defeat the normalize_path() sanitizer and inject SQL via DataFrame.to_csv(). Successful exploitation may result in source database compromise, unauthorized cross-tenant data exfiltration, or unauthorized read of Snowflake account data.

Metadata

CVE ID
CVE-2026-15062
State
PUBLISHED
Assigner
SNOWFLAKE
Reserved
2026-07-08 14:26 UTC
Published
2026-07-08 14:32 UTC
Last updated
2026-07-08 15:18 UTC
Primary CWE
CWE-89
Improper Neutralization of Special Elements used in an SQL C…
Vendor / Product
Snowflake / Snowpark Python SDK
Sources
cve.org  ·  NVD

Severity & Metrics

9.6 CRITICAL CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
SSVC — CISA Coordinator
Exploitation
none
Automatable
no
Tech. Impact
total
Affected products (1)
VendorProductPlatformVersions
Snowflake Snowpark Python SDK 0.1.0 < 1.53.0
Weakness (CWE)
CWESourceDescription
CWE-89 cna Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSS scores (1)
ScoreSeverityVersionSourceVector
9.6 CRITICAL 3.1 cna CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
References (1)
Back to overview