๐Ÿ” CVE Alert

CVE-2026-15062

CRITICAL 9.6

SQL Injection in Snowflake Snowpark Python SDK

CVSS Score
9.6
EPSS Score
0.0%
EPSS Percentile
0th

SQL injection vulnerabilities in the Snowflake Snowpark Python SDK (snowpark-python) versions prior to 1.53.0 could allow authenticated low-privilege users to execute SQL beyond their authorization scope. An attacker could exploit these vulnerabilities by embedding SQL payloads in source database column names to escalate privileges via the DataFrameReader.dbapi() API by supplying a specially crafted location parameter to DataFrameWriter write methods to redirect a COPY INTO to an arbitrary source query, or by including a backslash-single-quote sequence in an export path to defeat the normalize_path() sanitizer and inject SQL via DataFrame.to_csv(). Successful exploitation may result in source database compromise, unauthorized cross-tenant data exfiltration, or unauthorized read of Snowflake account data.

CWE CWE-89
Vendor snowflake
Product snowpark python sdk
Published Jul 8, 2026
Last Updated Jul 8, 2026
Stay Ahead of the Next One

Get instant alerts for snowflake snowpark python sdk

Be the first to know when new critical vulnerabilities affecting snowflake snowpark python sdk are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Affected Versions

Snowflake / Snowpark Python SDK
0.1.0 < 1.53.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/snowflakedb/snowpark-python/blob/main/CHANGELOG.md