Critical Vulnerability in Snowflake Cortex Code CLI Allows Malware Execution and Sandbox Escape
Key Takeaways
- ▸A critical vulnerability in Snowflake Cortex Code CLI allowed indirect prompt injection attacks to execute arbitrary commands and bypass sandbox restrictions
- ▸The flaw exploited incomplete command validation that failed to evaluate commands within process substitution expressions, allowing unapproved malicious execution
- ▸Attackers could have leveraged the vulnerability to exfiltrate data, drop tables, and perform other malicious actions using victim credentials in Snowflake databases
Summary
A critical vulnerability was discovered in Snowflake's Cortex Code CLI, an AI-powered command-line coding agent, just two days after its release. The flaw allowed attackers to execute arbitrary commands and install malware by bypassing the human-in-the-loop approval system through indirect prompt injection attacks. Specifically, malicious commands hidden within process substitution expressions could escape the sandbox and execute without user approval, potentially allowing attackers to exfiltrate data or compromise Snowflake databases using victim credentials.
The vulnerability stemmed from incomplete command validation in Cortex's security system. While the CLI was designed to parse and validate commands before execution, it failed to properly evaluate commands nested within process substitution expressions like <(), which are commonly used in shell scripting. An attacker could craft a malicious prompt injection—hidden in a README file, web search result, or database record—that would manipulate Cortex into executing dangerous commands without triggering approval workflows.
Snowflake's security team responded quickly, releasing a patch in version 1.0.25 on February 28, 2026, just days after the vulnerability was identified. The company has published a full advisory on its Community Site detailing the incident and the remediation steps taken. The incident highlights ongoing security challenges in AI-powered coding agents and the importance of robust command validation, especially when agents have access to sensitive infrastructure and credentials.
- Snowflake patched the vulnerability within two days of discovery, releasing version 1.0.25 with a fix to properly validate all command types
Editorial Opinion
This incident underscores a critical tension in deploying AI coding agents: balancing user productivity with security. While sandbox environments and human-in-the-loop approvals are essential safeguards, their implementation must be thorough—overlooking command validation in even a single context (process substitution) created a complete bypass. As AI agents gain deeper access to infrastructure and credentials, security teams must adopt 'defense-in-depth' approaches, including workspace trust warnings and exhaustive command parsing, to prevent similar vulnerabilities from reaching production.
