PT-2026-56460 · Hashicorp · Terraform Provider For Snowflake
Published
2026-07-08
·
Updated
2026-07-08
·
CVE-2026-15067
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Snowflake Terraform Provider versions prior to 2.18.0
Description
An injection flaw exists where user-controlled input is passed into Snowflake queries without proper sanitization or escaping. This occurs due to improper input validation and identifier neutralization, leading to SQL injection and DDL (Data Definition Language) injection in provider-generated statements, including user management DDL. An attacker capable of influencing a workspace variable in a pipeline where the affected data source is enabled can execute arbitrary SQL under the provider's privileged Snowflake session. This could result in the exfiltration of sensitive data and the creation of accounts or long-lived access credentials controlled by the attacker, bypassing security controls configured by the operator.
Recommendations
Upgrade to version 2.18.0.
Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Terraform Provider For Snowflake