Critical Vulnerability in Snowflake Cortex Code CLI Allows Sandbox Escape and Remote Code Execution

Summary

A critical vulnerability was discovered in Snowflake's Cortex Code CLI, a command-line coding agent similar to Claude Code and OpenAI's Codex, that allowed attackers to bypass sandbox protections and execute arbitrary commands without user approval. The flaw, identified just two days after release, exploited a gap in the command validation system that failed to properly evaluate commands within process substitution expressions, allowing maliciously crafted indirect prompt injections to download and execute scripts with the victim's active credentials. Attackers could leverage this vulnerability to perform unauthorized actions in Snowflake environments, including data exfiltration and table manipulation. Snowflake's security team rapidly remediated the issue, releasing a fix in version 1.0.25 on February 28th, 2026, with full details available in their security advisory on the Snowflake Community Site.

• Snowflake rapidly patched the vulnerability within days of discovery, demonstrating quick response to security threats in AI agent infrastructure

Editorial Opinion

This incident underscores a critical challenge in deploying agentic AI systems: the tension between functionality and security. While sandbox environments and human-in-the-loop approvals are important safeguards, this vulnerability reveals that incomplete validation logic can create dangerous gaps. The rapid identification and patching is commendable, but the speed of exploitation (within two days of release) highlights the need for more rigorous security testing of AI CLI tools before public release, particularly those with database integration and credential access.