Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Local filesystem read access and a low-privileged account are required; only confidentiality is impacted as credentials are exposed but no data is modified or made unavailable.
Primary rating from Vendor (SNOWFLAKE).
CVSS VectorVendor: SNOWFLAKE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
Insertion of sensitive information into log files in Snowflake CLI versions prior to 3.19 allowed plaintext credentials to be written to persistent local debug logs. An attacker could exploit this by obtaining read access to the affected user's local log files, causing credentials such as passwords, tokens, or private key material to be exposed without additional application-level safeguards. Successful exploitation requires credentials to be present in the affected connection context and the resulting logs to be accessible from the local environment. The fix is available in Snowflake CLI version 3.19, and users must manually upgrade.
AnalysisAI
Snowflake CLI versions prior to 3.19 write plaintext credentials - including passwords, authentication tokens, and private key material - to persistent local debug log files due to CWE-532 (Insertion of Sensitive Information into Log File). Any local user account with read access to the affected user's log directory can harvest these credentials without needing application-level privileges. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires two concrete conditions to both be satisfied: (1) the target user must have run Snowflake CLI with credentials present in the connection context (i.e., a configured connection profile containing a password, token, or private key), which causes those credentials to be written to the local debug log; and (2) the attacker must have local filesystem read access to the directory containing those log files, requiring at minimum a low-privileged local account on the same system (consistent with PR:L in the CVSS vector). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:H) accurately characterizes this as a local, low-complexity issue requiring a low-privileged account - consistent with a scenario where a second local user or a compromised process reads log files written by the CLI user. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained a low-privileged local account on a developer's workstation or CI/CD runner - through phishing, a supply-chain compromise, or pivoting from another vulnerability - navigates to the Snowflake CLI log directory and reads the plaintext debug logs. The logs contain the victim's Snowflake password, session token, or private key, which the attacker then uses to authenticate directly to the victim's Snowflake account and exfiltrate data. … |
| Remediation | Upgrade Snowflake CLI to version 3.19 or later; this is a manual upgrade and does not occur automatically. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Snowflake Cli
View allArbitrary code execution in Snowflake CLI versions prior to 3.19 lets an attacker run code in the context of any develop
SQL injection in Snowflake CLI versions 1.2.2 through 3.18.x allows an attacker to execute unintended SQL statements wit
SQL injection in Snowflake CLI versions 1.1.0 through 3.18.x (fixed in 3.19) lets crafted parameter values reach vulnera
Server-side request forgery in Snowflake CLI versions 3.6.0 through 3.18.x lets an attacker coerce a victim's CLI sessio
Path traversal in Snowflake CLI versions prior to 3.19 enables arbitrary local file exfiltration to Snowflake cloud serv
Snowflake CLI versions prior to 3.19 permit self-injection SQL execution through improper neutralization of local CLI pa
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40137
GHSA-hrp8-4956-5gr5