Skip to main content

Snowflake Spark Connector CVE-2026-15183

| EUVDEUVD-2026-43644 CRITICAL
SQL Injection (CWE-89)
2026-07-14 SNOWFLAKE GHSA-33r9-fx8q-w69h
9.2
CVSS 4.0 · Vendor: SNOWFLAKE
Share

Severity by source

Vendor (SNOWFLAKE) PRIMARY
9.2 CRITICAL
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Shared-session access to submit SET/staging options implies PR:L, and the required preconditions plus non-trivial injection path justify AC:H; full C/I/A impact via admin-role SQL execution.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (SNOWFLAKE).

CVSS VectorVendor: SNOWFLAKE

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jul 14, 2026 - 11:17 EUVD
Analysis Generated
Jul 14, 2026 - 09:31 vuln.today
CVE Published
Jul 14, 2026 - 08:42 cve.org
CRITICAL 9.2

DescriptionCVE.org

Multiple input validation vulnerabilities in the Snowflake Spark Connector (spark-snowflake) versions prior to 3.2.1 can allow attackers to exfiltrate OAuth client credentials, execute arbitrary SQL with the connector's Snowflake role, or redirect COPY operations to attacker-controlled storage. An attacker could exploit these vulnerabilities by supplying a crafted OAuth token request URL, placing malicious files in an ingestion pipeline, injecting SQL via staging options in a shared Spark environment , or issuing runtime SET commands in a shared Spark-SQL session to inject arbitrary SQL into the SnowflakeFallbackCatalog's option map, which executes under the cluster admin's JDBC credentials. Successful exploitation may result in credential theft, unauthorized access to Snowflake account data, or privilege escalation within connected infrastructure.

AnalysisAI

SQL injection and input-validation weaknesses in the Snowflake Spark Connector (spark-snowflake) before version 3.2.1 let attackers exfiltrate OAuth client credentials, run arbitrary SQL under the connector's Snowflake role, and redirect COPY data-loading operations to attacker-controlled storage. Reported by Snowflake, the flaws are most dangerous in shared/multi-tenant Spark clusters where injected SQL executes with the cluster admin's JDBC credentials, enabling credential theft and privilege escalation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain access to shared Spark-SQL session
Delivery
Issue runtime SET / crafted staging option
Exploit
Inject SQL into SnowflakeFallbackCatalog option map
Execution
Execute under cluster admin JDBC role
Impact
Exfiltrate credentials and Snowflake data

Vulnerability AssessmentAI

Exploitation Exploitation requires that the vulnerable spark-snowflake connector (pre-3.2.1) be in use and, for the highest-impact SQL injection and privilege-escalation paths, that the attacker have access to a SHARED Spark or Spark-SQL session where they can issue runtime SET commands or supply staging/connector options that feed the SnowflakeFallbackCatalog option map - which then executes under the cluster admin's JDBC credentials. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 9.2 (Critical) reflects network vector with full high impact to confidentiality, integrity, and availability of the vulnerable system (VC:H/VI:H/VA:H), but two metrics temper real-world ease: AC:H (high attack complexity) and AT:P (a present attack requirement/precondition). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario In a shared Spark-SQL cluster, a low-privileged analyst issues a runtime SET command whose value contains crafted SQL; the connector folds this into the SnowflakeFallbackCatalog option map and executes it over the cluster admin's JDBC connection, running attacker SQL with the admin's Snowflake role. Alternatively, the attacker supplies malicious staging options or a crafted OAuth token-request URL to steal OAuth client credentials or redirect a COPY operation to storage they control. …
Remediation Upgrade the Snowflake Spark Connector to version 3.2.1 or later, which is the primary fix; consult the vendor release notes at https://docs.snowflake.com/en/release-notes/clients-drivers/spark-connector-2026 for the exact patched artifact and coordinates. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify all Spark clusters running spark-snowflake versions prior to 3.2.1 and assess their network exposure to untrusted data sources. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-15183 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy