CVE-2026-15925
Snowflake · Snowflake Connector for Python
The Snowflake Connector for Python fails to properly verify TLS hostnames, allowing a network-positioned attacker to intercept traffic or execute arbitrary SQL queries via certificate spoofing.
Executive summary
A critical vulnerability in the Snowflake Connector for Python allows attackers with on-path network access to intercept sensitive data and execute unauthorized SQL queries.
Vulnerability
This is an improper TLS hostname verification flaw (CWE-297) that allows an unauthenticated, network-positioned attacker to present a malicious certificate, causing the connector to trust the connection and expose credentials or query data.
Business impact
Successful exploitation poses a severe risk to organizational data integrity and confidentiality. Because the flaw allows for the execution of arbitrary SQL commands, attackers could potentially exfiltrate sensitive information from the Snowflake database or modify records, leading to significant compliance and reputational damage. The CVSS score of 9.2 reflects the high technical impact despite the requirement for an on-path attacker.
Remediation
Immediate Action: Upgrade the Snowflake Connector for Python to version 3.18.1 or 4.7.1 immediately to implement correct hostname validation.
Proactive Monitoring: Review network and application logs for unusual connectivity patterns or unexpected SQL queries emanating from systems utilizing the connector.
Compensating Controls: Ensure all database traffic is restricted to encrypted tunnels or VPNs to reduce the risk of on-path interception while the update is being deployed.
Exploitation status
Public Exploit Available: Unknown.
Analyst recommendation
This vulnerability represents a high-risk exposure for any environment relying on the Snowflake Connector for Python. Administrators should prioritize patching as the primary defense, as this flaw directly undermines the security of database communications. Given the potential for unauthorized data access and command execution, immediate deployment of the fixed versions is strongly recommended.