Cyber Resilience

CVE-2026-6442

High

Published: 16 April 2026

Published
16 April 2026
Modified
17 April 2026
KEV Added
Patch
CVSS Score v3.1 8.3 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0036 27.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-6442 is a high-severity Improper Validation of Syntactic Correctness of Input (CWE-1286) vulnerability in Snowflake Cortex Code CLI (inferred from references). Its CVSS base score is 8.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked at the 27.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-39 (Process Isolation) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-6442 is an improper validation of bash commands vulnerability affecting Snowflake Cortex Code CLI versions prior to 1.0.25. The flaw enables subsequent commands to execute outside the intended sandbox, stemming from CWE-1286 (Improper Validation of Specified Index or Position). Published on 2026-04-16 with a CVSS v3.1 base score of 8.3 (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H), it poses a high-severity risk due to its potential for broad impact across confidentiality, integrity, and availability.

An attacker can exploit this vulnerability over the network by embedding specially crafted commands in untrusted content, such as a malicious repository. This requires tricking a user into interacting with the content via the CLI (UI:R), with no privileges needed (PR:N) but high attack complexity (AC:H). Successful exploitation leads to arbitrary code execution on the victim's local device without further consent, though it is non-deterministic and model-dependent. The changed scope (S:C) amplifies the impact to high levels across all CIA triad categories.

Snowflake's advisory confirms the fix is automatically applied upon relaunch of the CLI, requiring no user action. Additional details are available in the PromptArmor Report on Snowflake's community site (https://community.snowflake.com/s/article/PromptArmor-Report---Snowflake-Response) and PromptArmor's site (https://www.promptarmor.com/), which likely cover discovery and response specifics.

EU & UK References

Vulnerability details

Improper validation of bash commands in Snowflake Cortex Code CLI versions prior to 1.0.25 allowed subsequent commands to execute outside the sandbox. An attacker could exploit this by embedding specially crafted commands in untrusted content, such as a malicious repository,…

more

causing the CLI agent to execute arbitrary code on the local device without user consent. Exploitation is non-deterministic and model-dependent. The fix is automatically applied upon relaunch with no user action required.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
Why these techniques?

Vulnerability enables arbitrary bash command execution outside sandbox via improper validation when processing untrusted repository content, directly facilitating Unix Shell (T1059.004) and requiring user interaction with malicious file (T1204.002).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-22868Shared CWE-1286
CVE-2026-24087Shared CWE-1286
CVE-2026-24091Shared CWE-1286
CVE-2026-7307Shared CWE-1286
CVE-2026-24089Shared CWE-1286
CVE-2025-41719Shared CWE-1286
CVE-2025-0638Shared CWE-1286
CVE-2026-33778Shared CWE-1286
CVE-2025-59785Shared CWE-1286
CVE-2026-40198Shared CWE-1286

Affected Assets

Snowflake
Cortex Code CLI
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of inputs such as bash commands to prevent improper validation that allows execution outside the sandbox.

prevent

Enforces process isolation to maintain the CLI agent's sandbox integrity, blocking breakout and arbitrary code execution from untrusted content.

prevent

Mandates timely flaw remediation, such as updating to Snowflake Cortex Code CLI version 1.0.25, to correct the improper command validation vulnerability.

References