PT-2026-60425 · Snowflake · Snowflake Connector For Python
CVE-2026-15925
·
Published
2026-07-16
·
Updated
2026-07-16
CVSS v4.0
9.2
Critical
| Vector | AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Snowflake Connector for Python versions prior to 4.7.1
Snowflake Connector for Python versions prior to 3.18.1
Description
Improper TLS hostname verification allows a network-positioned attacker to bypass certificate hostname validation on HTTPS connections. An attacker with on-path network access can intercept or redirect traffic and present a certificate signed by any trusted CA for any domain, leading the connector to accept the connection without verifying if the certificate matches the requested hostname. This requires on-path traffic interception capabilities such as ARP/DNS poisoning, rogue access points, BGP hijacking, or malicious proxies. This issue may expose credentials, query data, and staged file contents to interception and tampering, and could allow the attacker to execute arbitrary SQL within the victim's connector session, limited by the privileges of the affected Snowflake role.
Recommendations
Upgrade to version 4.7.1.
Upgrade to version 3.18.1.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Snowflake Connector For Python