CVE-2026-15736 in SQLAlchemyinfo

Summary

by MITRE • 07/14/2026

Snowflake SQLAlchemy versions prior to 1.11.0 contain several security vulnerabilities, including: Improper handling of user-supplied column identifiers in merge operations could allow SQL injection through attacker-controlled input keys. An attacker may be able to exploit this through request field names in a dynamic upsert endpoint, potentially enabling read access to data visible to the application's database role or modification of values within the same MERGE statement. Improper literal rendering of bound parameters when building certain Snowflake-specific table creation queries could allow SQL injection. An attacker may be able to exploit this by supplying a crafted string to any application endpoint that passes user-controlled data through the affected query-building API, potentially causing arbitrary data exfiltration within the scope of the connection role. Improper forwarding of connection configuration parameters could allow an attacker to cause the library to read arbitrary local files and transmit their contents to an attacker-controlled endpoint. An attacker may be able to exploit this in deployment environments that accept user-controlled connection parameters, potentially exposing sensitive files accessible to the application process. The fix is available in Snowflake SQLAlchemy version 1.11.0. Users must manually upgrade.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 07/14/2026

The Snowflake SQLAlchemy library versions before 1.11.0 contain critical security vulnerabilities that expose applications to various injection and data exposure risks. These vulnerabilities stem from inadequate input validation and improper parameter handling within the library's query building mechanisms, creating pathways for attackers to manipulate database operations and extract sensitive information.

The primary vulnerability involves improper handling of user-supplied column identifiers during merge operations, which creates a sql injection vector through attacker-controlled input keys. This flaw specifically affects dynamic upsert endpoints where request field names are processed directly without proper sanitization. According to CWE-89, this represents a classic sql injection vulnerability that can be exploited by malicious actors to execute unauthorized database commands. The impact allows attackers to gain read access to data visible through the application's database role or modify values within the same merge statement, potentially leading to data integrity compromise and unauthorized data manipulation.

A secondary vulnerability exists in the literal rendering of bound parameters when constructing Snowflake-specific table creation queries. This improper parameter handling creates another sql injection opportunity where attackers can supply crafted strings through application endpoints that utilize the affected query-building API. The vulnerability operates at the level of CWE-74, which addresses injection flaws in parameter handling, and can result in arbitrary data exfiltration within the scope of the connection role, potentially exposing sensitive database contents to unauthorized parties.

The most severe vulnerability involves improper forwarding of connection configuration parameters that enables local file inclusion attacks. Attackers can exploit this weakness in deployment environments accepting user-controlled connection parameters to force the library to read arbitrary local files and transmit their contents to attacker-controlled endpoints. This vulnerability aligns with CWE-22, which covers path traversal and file inclusion issues, and represents a significant risk as it allows for sensitive file exposure including configuration files, credentials, and other system information accessible to the application process.

These vulnerabilities collectively represent a comprehensive attack surface that can be exploited through various application interfaces, from web endpoints processing user input to deployment configurations accepting external parameters. The flaws demonstrate poor input validation practices and inadequate parameter sanitization within the database abstraction layer, creating opportunities for attackers to escalate privileges and access sensitive data beyond normal application boundaries. Organizations must urgently upgrade to Snowflake SQLAlchemy version 1.11.0 to remediate these issues, as manual intervention is required since automatic updates are not provided.

The security implications extend beyond immediate data exposure risks to include potential privilege escalation and persistent access to database resources. Attackers exploiting these vulnerabilities can leverage the established database connections to perform unauthorized operations and maintain access to sensitive information, making these flaws particularly dangerous in enterprise environments where database security is paramount. The ATT&CK framework categorizes these issues under privilege escalation and data extraction techniques, emphasizing their potential for long-term security compromise.

Mitigation strategies should focus on immediate version upgrades combined with comprehensive input validation across all application interfaces that interact with database operations. Organizations should also implement network segmentation and access controls to limit the scope of potential exploitation while monitoring for suspicious database activities that might indicate attempted exploitation of these vulnerabilities. Regular security assessments of database abstraction layers and continuous monitoring of parameter handling practices will help prevent similar issues from emerging in future deployments.

The vulnerability landscape demonstrates how seemingly minor flaws in database libraries can create significant security risks when combined with improper application design patterns. The combination of sql injection vectors, local file inclusion vulnerabilities, and inadequate parameter validation creates a complex attack surface that requires comprehensive remediation efforts. Security teams must prioritize these upgrades alongside other critical infrastructure updates to maintain robust defense against evolving threats targeting database systems and their underlying abstraction layers.

Responsible

SNOWFLAKE

Reservation

07/14/2026

Disclosure

07/14/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Do you need the next level of professionalism?

Upgrade your account now!