Critical SQL Injection in Snowflake Terraform Provider Exposes Data and Allows Unauthorized Access
Snowflake Terraform Provider versions prior to 2.18.0 are vulnerable to SQL injection and DDL injection, identified as CVE-2026-15067. This critical flaw allows attackers to execute arbitrary SQL commands under the provider's privileged Snowflake session. Furthermore, it enables DDL injection into user management statements, which can lead to the creation of user accounts with attacker-controlled credentials. The exploitation of this vulnerability requires an attacker to influence a workspace variable within a pipeline where the vulnerable data source was enabled.
This vulnerability is of paramount concern for any organization leveraging the Snowflake Terraform Provider for infrastructure management. The potential for arbitrary SQL execution and the creation of unauthorized accounts directly compromises the confidentiality, integrity, and availability of data stored within Snowflake. For DevOps and cloud engineers, this translates to a direct threat of data breaches within their data warehouses, which frequently house highly sensitive business and customer information. The assigned CVSS base score of 8.8, indicating HIGH severity, underscores the urgent need for immediate action to prevent significant data loss, unauthorized system access, and potential non-compliance with data protection regulations.
This incident serves as a stark reminder of the persistent challenges in securing the Infrastructure as Code (IaC) ecosystem, particularly concerning third-party providers and modules. While IaC tools like Terraform are instrumental in automating infrastructure provisioning, they inherently introduce supply chain risks. A vulnerability within a widely adopted provider can propagate rapidly, impacting numerous organizations. This is not an isolated occurrence; similar security flaws have been discovered in other providers and modules across the IaC landscape. Such events reinforce the necessity for robust security practices, including rigorous dependency scanning, timely patching, and meticulous vetting of all components integrated into the IaC pipeline. The 'shift-left' security philosophy, which advocates for embedding security considerations early in the development lifecycle, is particularly relevant here, urging practitioners to scrutinize provider versions and sanitize all inputs.
In practice, practitioners must prioritize identifying all Terraform configurations that utilize the Snowflake provider and ensure they are running version 2.18.0 or newer. The upgrade process is manual and should be executed without delay. Organizations should also conduct a thorough review of their CI/CD pipelines to verify that workspace variables are adequately secured and that all inputs to Terraform configurations are properly sanitized or validated to prevent potential injection attacks. Implementing automated vulnerability scanning tools specifically designed for Terraform configurations and their dependencies is crucial for ongoing security. Furthermore, teams should proactively audit their Snowflake environments for any indicators of unauthorized access, newly created user accounts, or attempts at data exfiltration that might have occurred before the patch was applied. This situation underscores the critical importance of maintaining a comprehensive inventory of all third-party IaC components and subscribing to their respective security advisories.
Read original source