Executive Summary
A critical SQL injection vulnerability (CVE-2026-15062) with a CVSS score of 9.6 affects Snowflake Snowpark Python SDK versions prior to 1.53.0. Authenticated low-privilege users could exploit this vulnerability to execute SQL beyond their authorization scope, potentially leading to source database compromise, unauthorized cross-tenant data exfiltration, or unauthorized read of Snowflake account data. Immediate action is required to update to version 1.53.0 or later.
Technical Analysis
This vulnerability is classified as a SQL injection (CWE-89) vulnerability in the Snowflake Snowpark Python SDK (snowpark-python). The vulnerability allows authenticated low-privilege users to execute SQL beyond their authorization scope. An attacker could exploit these vulnerabilities by:
- Embedding SQL payloads in source database column names to escalate privileges via the DataFrameReader.dbapi() API
- Supplying a specially crafted location parameter to DataFrameWriter write methods to redirect a COPY INTO to an arbitrary source query
- Including a backslash-single-quote sequence in an export path to defeat the normalize_path() sanitizer and inject SQL via DataFrame.to_csv()
The root cause of this vulnerability is the lack of proper input validation and sanitization in the affected SDK versions.
How It Gets Exploited
An authenticated low-privilege user with access to the Snowpark Python SDK could exploit this vulnerability by crafting a malicious SQL payload and embedding it in a source database column name. The attacker would then use the DataFrameReader.dbapi() API or supply a specially crafted location parameter to DataFrameWriter write methods to execute the malicious SQL. Successful exploitation could allow the attacker to escalate privileges, potentially leading to source database compromise, unauthorized cross-tenant data exfiltration, or unauthorized read of Snowflake account data.
Impact Assessment
The vulnerability affects Snowflake Snowpark Python SDK versions prior to 1.53.0. The CVSS score of 9.6 indicates a critical vulnerability with high impacts on confidentiality and integrity. If exploited, an attacker could achieve unauthorized access to sensitive data, escalate privileges, or compromise the source database.
Recommended Actions
To mitigate this vulnerability, update the Snowflake Snowpark Python SDK to version 1.53.0 or later. Additionally, consider implementing the following:
- Restrict access to sensitive data and APIs
- Monitor for suspicious activity and implement logging and auditing
- Use secure coding practices and input validation
Sources
- National Vulnerability Database (NVD) - CVE-2026-15062
- Snowflake Snowpark Python SDK Changelog - CHANGELOG.md