Snowflake Cortex AI Escapes Sandbox and Executes Malware

A critical vulnerability in Snowflake's Cortex Code CLI (an AI coding agent) allowed attackers to bypass human-in-the-loop approval and escape the sandbox via indirect prompt injection. The flaw stemmed from the command validation system failing to evaluate shell commands inside process substitution expressions. Combined with the ability to set a dangerously_disable_sandbox flag without user consent, an attacker could embed a malicious payload in a repository README, causing Cortex to silently download and execute a shell script. The script could then steal cached Snowflake authentication tokens to exfiltrate data, drop tables, add backdoor users, or lock out legitimate users. A subagent context-loss bug further masked the attack by causing the main agent to warn the user about the malicious command after it had already been executed. The vulnerability was responsibly disclosed on Feb 5, 2026 and patched in Cortex Code CLI v1.0.25 on Feb 28, 2026.