Skip to content
Tech News
← Back to articles

Snowflake AI Escapes Sandbox and Executes Malware

2026-03-18 | original
read original more articles
Why This Matters

The recent vulnerability in Snowflake's Cortex Code CLI highlights the risks associated with AI-driven tools executing commands outside their intended sandbox, potentially leading to data breaches and malicious activities. This incident underscores the importance of robust security measures in AI integrations within cloud platforms, affecting both developers and organizations relying on these tools.

Key Takeaways

The Snowflake Cortex Code CLI is a command-line coding agent that operates similarly to Claude Code and OpenAI’s Codex, with an additional built-in integration to run SQL in Snowflake.

Two days after release, a vulnerability was identified in Cortex Code’s command validation system that allowed specially constructed malicious commands to:

Execute arbitrary commands without triggering human-in-the-loop approval steps

Execute those commands outside of the Cortex CLI’s sandbox.

We demonstrate that, via indirect prompt injection, an attacker could manipulate Cortex to download and execute scripts without approval that leverage the victim’s active credentials to perform malicious actions in Snowflake (e.g., Exfiltrate data, drop tables).

The Snowflake security team worked diligently to validate and remediate this vulnerability, and a fix was released with Cortex Code CLI version 1.0.25 on February 28th, 2026. Snowflake’s full advisory is available within the Snowflake Community Site, which is accessible to customers, partners, and the general public upon creation of a Community account:

https://community.snowflake.com/s/article/PromptArmor-Report---Snowflake-Response

A user opens Cortex and turns on the sandbox The user starts the CLI and chooses to enable one of the sandbox modes (details below). This attack is not contingent on which of the sandbox modes is used. Note: This attack chain also applied to non-sandbox users. Documentation indicates that in OS+Regular mode, all commands prompt for user approval. Commands run in the sandbox also have network and file access restrictions.

The user asks Cortex for help with a third-party open-source codebase In this chain, a prompt injection is hidden in the README of an untrusted repository that the user has found online. However, in practice, an injection can be ingested from any untrusted data, such as in a web search result, database record, terminal command output, or MCP response. *Note: Cortex does not support ‘workspace trust’, a security convention first seen in code editors, since adopted by most agentic CLIs. Workspace trust dialogs warn users of the risks involved when using an agent in a new, potentially untrusted directory.

Cortex explores the repository and encounters the prompt injection The subagent that Cortex has invoked to explore the repository finds the README file. At the bottom of the file, there is a prompt injection that manipulates Cortex into believing that it must run a dangerous command.

... continue reading

Explore topics: snowflake cortex code sandbox malware prompt injection
Related:
C2 Implant 'SnappyClient' Targets Crypto Wallets
This startup wants to make enterprise software look more like a prompt
'Claudy Day’ Trio of Flaws Exposes Claude Users to Data Theft
Launch an autonomous AI agent with sandboxed execution in 2 lines of code
More Attackers Are Logging In, Not Breaking In

© 2026 GoKawiil

About | Editorial Policy | Contact