Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Malicious content is delivered over the network (AV:N) but requires the victim to run the bundling workflow (UI:R); attacker needs no privileges (PR:N), and injected code yields full local C/I/A impact.
Primary rating from Vendor (SNOWFLAKE).
CVSS VectorVendor: SNOWFLAKE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Improper neutralization in the Snowpark annotation processor callback template in Snowflake CLI versions prior to 3.19 allowed arbitrary code execution during application bundling or deployment. An attacker could exploit this by supplying crafted project content that is interpolated into generated Python code, causing Snowflake CLI to execute attacker-controlled code in the local context of the user running the CLI. Successful exploitation requires the victim to run the relevant bundling or deployment workflow against attacker-controlled project content, and any resulting code runs with the privileges of that local execution context. The fix is available in Snowflake CLI version 3.19, and users must manually upgrade.
Articles & Coverage 2
AnalysisAI
Arbitrary code execution in Snowflake CLI versions prior to 3.19 lets an attacker run code in the context of any developer who bundles or deploys an attacker-supplied Snowpark project. The flaw lives in the Snowpark annotation processor callback template, where untrusted project content is interpolated directly into generated Python code (CWE-94). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the victim to run the Snowpark bundling or deployment workflow (the Snowflake CLI build/deploy commands) against attacker-controlled project content that is interpolated into the annotation processor callback template - this is the explicit UI:R precondition. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, 8.8) reflects full confidentiality/integrity/availability impact on the local host with no attacker privileges, but it is gated by UI:R - the victim must actively run the bundling or deployment workflow against attacker-controlled project content. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker publishes a seemingly legitimate Snowpark project (e.g., a sample app or library fork) containing crafted content that gets interpolated into the annotation processor callback template. A developer clones it and runs the Snowflake CLI bundle or deploy workflow; the generated Python includes the attacker's injected code, which executes immediately with the developer's local privileges, potentially stealing Snowflake credentials or pivoting into CI/CD. … |
| Remediation | Vendor-released patch: Snowflake CLI version 3.19 - upgrade manually, as the advisory notes the update is not automatic. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Inventory all Snowflake CLI installations across development teams and identify those running versions prior to 3.19; issue guidance restricting bundle and deployment activities to internally-verified Snowpark projects only. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Code injection in Langflow CSV Agent node before 1.8.0. The node hardcodes allow_dangerous_code=True, enabling arbitrary
A vulnerability, that could result in Remote Code Execution (RCE), has been found in DocsGPT. Rated critical severity (C
## Abstract Trend Micro's Zero Day Initiative has identified a vulnerability affecting FlowiseAI Flowise. ## Vulnerabi
Keras Model.load_model can execute arbitrary code even with safe_mode=True by manipulating the config.json inside a .ker
Same weakness CWE-94 – Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40135
GHSA-gxp8-hq7m-332h