CVE-2026-15067 in Terraform Provider
Summary
by MITRE • 07/08/2026
Snowflake Terraform Provider versions prior to 2.18.0 contain several security vulnerabilities, including SQL injection via an unsanitized data source input could result in arbitrary SQL execution under the provider's privileged Snowflake session, potentially enabling sensitive data exfiltration and minting of long-lived access credentials. Exploitation requires the ability for an attacker to influence a workspace variable in a pipeline where this data source was enabled. Improper neutralization of identifier content in user resource inputs could allow DDL injection into user management statements, potentially causing accounts to be created with attacker-controlled credentials and without the security controls configured by the operator. The fix is available in Snowflake Terraform Provider version 2.18.0. Users must manually upgrade.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 07/08/2026
The Snowflake Terraform Provider vulnerability represents a critical security flaw affecting versions prior to 2.18.0 that exposes organizations to significant operational risks through multiple attack vectors. This vulnerability stems from inadequate input sanitization mechanisms within the provider's data source handling and user resource management components, creating pathways for sophisticated attackers to exploit privileged access within Snowflake environments.
The primary SQL injection vulnerability occurs when unsanitized data source inputs are processed without proper validation or escaping mechanisms. This flaw allows attackers to inject malicious SQL commands that execute under the elevated privileges of the Terraform provider's Snowflake session. The implications extend beyond simple data manipulation to include potential credential exfiltration, unauthorized access to sensitive datasets, and creation of persistent backdoor access points through long-lived credentials. According to CWE-89, this represents a classic SQL injection vulnerability where attacker-controlled input directly influences database query execution without proper sanitization.
The secondary vulnerability involves improper neutralization of identifier content within user resource inputs, which creates DDL injection opportunities in user management operations. When user identifiers are not properly escaped or validated before being incorporated into database statements, attackers can manipulate the underlying data definition language to create accounts with maliciously controlled credentials. This type of vulnerability maps directly to CWE-94, which addresses the improper neutralization of dangerous control elements in the context of dynamic code execution and user input handling.
These vulnerabilities operate within the broader ATT&CK framework under the T1078 credential access and T1059 command and scripting interpreter tactics, enabling attackers to establish persistent access and execute arbitrary commands within the Snowflake environment. The exploitation requires minimal privileges since attackers only need to influence workspace variables in pipeline configurations where the vulnerable data sources are enabled, making this particularly dangerous in CI/CD environments where multiple stakeholders may have access to configuration files.
The operational impact of these vulnerabilities extends beyond immediate security breaches to include potential compliance violations and data loss incidents. Organizations using affected provider versions face risks of unauthorized data access, privilege escalation, and potential compromise of their entire Snowflake infrastructure. The fix implemented in version 2.18.0 addresses both injection vectors through comprehensive input sanitization and validation mechanisms that properly escape special characters and validate all user-supplied identifiers before incorporating them into database operations.
Mitigation strategies require immediate action from affected organizations to upgrade to Snowflake Terraform Provider version 2.18.0, as manual intervention is necessary since automatic updates are not available. Security teams should conduct comprehensive audits of their CI/CD pipelines to identify any remaining instances of the vulnerable provider versions and ensure that all workspace variables are properly secured against unauthorized modification. Additionally, organizations should implement monitoring for suspicious Terraform execution patterns and consider implementing additional access controls around sensitive configuration parameters that could influence database operations through the provider interface.