Snowflake Cortex Code CLI Escapes Sandbox
PromptArmor reports that Snowflake’s Cortex Code CLI had a command-validation flaw that let an indirect prompt injection trigger unauthorized command execution, escape the sandbox, and run attacker-controlled malware using the user’s active Snowflake context. Snowflake says it validated the issue and shipped a fix in Cortex Code CLI 1.0.25 on February 28, 2026, with coordinated public disclosure on March 16, 2026.
Snowflake’s agentic CLI crossed a nasty trust boundary here: a poisoned repo prompt was enough to turn a helper tool into an RCE vector. That’s a strong reminder that “safe command” filters and sandbox modes are only as good as their parser coverage and subagent handling.
- –The impact is bigger than local code execution because the CLI can act on the user’s Snowflake session, so data theft or destructive SQL becomes plausible.
- –The bypass hinged on shell process substitution and a sandbox-disable path, which means attackers were exploiting both validation blind spots and workflow design.
- –PromptArmor says Snowflake fixed it quickly, so this reads as a remediated security incident rather than an unresolved product flaw.
DISCOVERED
24d ago
2026-03-18
PUBLISHED
24d ago
2026-03-18
RELEVANCE
AUTHOR
ozgune