1. Home
  2. Vulnerabilities
  3. CVE-2026-13751
4.1
MEDIUM CVSS 3.1
CVE-2026-13751
Snowflake CLI Server-Side Request Forgery via Arbitrary URL Fetch in !source/!load
Overview
Description

Improper handling of untrusted remote references in Snowflake CLI versions prior to 3.19 allowed server-side request forgery. The SQL statement reader's !source/!load directives could reference remote URLs that were retrieved at runtime without sufficient restriction on the request destination. By supplying crafted SQL content processed through a vulnerable command path, an attacker could cause the victim's environment to issue unintended outbound requests to internal or otherwise non-public network locations, and could cause remote SQL content to be retrieved and executed in the context of the victim user's session. Successful exploitation requires the victim to process attacker-controlled content through a vulnerable command path and is limited by the privileges available to that session and environment. The fix is available in Snowflake CLI version 3.19, which adds an option to disable remote URL retrieval.

Details
INFO

Published Date :

June 29, 2026, 4:12 p.m.

Last Modified :

June 29, 2026, 4:12 p.m.

Remotely Exploit :

No

Source :

SNOWFLAKE
Impact
Affected Products

The following products are affected by CVE-2026-13751 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

No affected product recoded yet

: Total Affected Vendor : 0 | Products : 0
Scoring
CVSS Scores
The Common Vulnerability Scoring System is a standardized framework for assessing the severity of vulnerabilities in software and systems. We collect and displays CVSS scores from various sources for each CVE.
Score Version Severity Vector Exploitability Score Impact Score Source
CVSS 3.1 MEDIUM 412d305a-227d-44f9-a262-a31ba44f2aea
Solution
Update Snowflake CLI to version 3.19 or later to disable remote URL retrieval.
  • Update Snowflake CLI to version 3.19 or later.
  • Disable remote URL retrieval in CLI configuration.

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2026-13751 vulnerability anywhere in the article.

Results are limited to the first 20 news articles due to potential performance issues.

EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
CVSS
Vulnerability Scoring Details
Base CVSS Score: 4.1
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact