Overview
A critical SQL injection vulnerability tracked as CVE-2026-15062 has been disclosed in the Snowflake Snowpark Python SDK. With a CVSS score of 9.6, the flaw allows any authenticated low-privilege Snowflake user to execute SQL statements well beyond their authorized scope — including reading sensitive data from other accounts and redirecting data to unauthorized destinations.
The vulnerability was published on July 8, 2026, with Snowflake acting as the CVE Numbering Authority (CNA). All versions of snowpark-python from 0.1.0 through 1.52.x are affected; the fix landed in version 1.53.0.
CVSS Breakdown
| Metric | Value |
|---|---|
| Score | 9.6 Critical |
| Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N |
| Attack Vector | Network (remotely exploitable) |
| Attack Complexity | Low (no special conditions required) |
| Privileges Required | Low (any authenticated Snowflake user) |
| User Interaction | None (fully automated exploitation possible) |
| Scope | Changed (impact escapes the vulnerable component) |
| Confidentiality | High |
| Integrity | High |
| Availability | None |
Three Distinct Attack Vectors
1. DataFrameReader.dbapi() — Column Name Injection
When connecting Snowpark to an external database via the dbapi() API, column names returned by the external source are used in SQL generation without proper escaping. An attacker controlling an external database (or a database being queried) can embed SQL payloads in column names, causing those payloads to execute within the victim's Snowflake session.
2. DataFrameWriter — Location Parameter Injection
A specially crafted location parameter in DataFrameWriter write methods can redirect a COPY INTO operation to an arbitrary target, enabling unauthorized exfiltration or movement of data to attacker-controlled storage.
3. DataFrame.to_csv() — Path Sanitizer Bypass
A backslash-single-quote sequence (\') in an export path bypasses the normalize_path() sanitizer, allowing SQL injection into the generated export statement. This is a classic quote-escaping bypass against an under-tested code path.
Potential Impact
- Cross-tenant data exfiltration from Snowflake accounts
- Unauthorized read access to account data beyond the attacker's granted privileges
- Compromise of external source databases connected via
dbapi() - Data redirection to attacker-controlled storage via manipulated
COPY INTOtargets
Because the scope is marked as Changed in the CVSS vector, the impact is not limited to the Snowpark SDK itself — a successful exploit can affect the wider Snowflake account and potentially connected data sources.
Affected Versions
| Package | Affected | Fixed |
|---|---|---|
snowflake-snowpark-python | 0.1.0 – 1.52.x | 1.53.0+ |
Remediation
Upgrade to snowflake-snowpark-python 1.53.0 or later immediately:
pip install --upgrade "snowflake-snowpark-python>=1.53.0"The 1.53.0 changelog documents three corresponding fixes:
- Escaping of stage paths and file format names containing single quotes
- Correct escaping of column names with quote characters from external databases
- Escaping of string values in AI function config SQL literals
Exploitation Status
No public proof-of-concept exploit code has been identified as of the publication date. However, given the low privilege requirement and network-accessible attack vector, exploitation is considered straightforward for any authenticated attacker familiar with SQL injection techniques.
Recommendations
- Patch immediately — upgrade to
snowflake-snowpark-python>=1.53.0across all environments - Audit Snowpark usage — review code using
DataFrameReader.dbapi(),DataFrameWriterwrite methods, andDataFrame.to_csv()for any user-controlled inputs in column names, location paths, or export paths - Restrict external database connections — apply least-privilege principles to external source credentials used with
dbapi() - Monitor for anomalous
COPY INTOactivity — review Snowflake query history for unexpected data movement - Pin SDK versions in production and establish a patching pipeline for Snowflake SDK updates