PT-2026-56460 · Hashicorp · Terraform Provider For Snowflake

Published

2026-07-08

·

Updated

2026-07-08

·

CVE-2026-15067

CVSS v3.1

8.8

High

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Snowflake Terraform Provider versions prior to 2.18.0
Description An injection flaw exists where user-controlled input is passed into Snowflake queries without proper sanitization or escaping. This occurs due to improper input validation and identifier neutralization, leading to SQL injection and DDL (Data Definition Language) injection in provider-generated statements, including user management DDL. An attacker capable of influencing a workspace variable in a pipeline where the affected data source is enabled can execute arbitrary SQL under the provider's privileged Snowflake session. This could result in the exfiltration of sensitive data and the creation of accounts or long-lived access credentials controlled by the attacker, bypassing security controls configured by the operator.
Recommendations Upgrade to version 2.18.0.

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-15067

Affected Products

Terraform Provider For Snowflake