A vulnerability in the Snowflake Cortex Code CLI allowed malware to be installed and executed via indirect prompt injection, bypassing human-in-the-loop command approval and escaping the sandbox.

Hacker News is a community-driven platform for sharing and discussing technology news, startups, and programming-related topics. Through user submissions and comments, Hacker News offers insights into emerging technology trends, industry developments, and entrepreneurial ventures. Readers can participate in discussions, share their insights, and stay informed about the latest advancements in technology and innovation.

Hacker News

A critical vulnerability in Snowflake's Cortex Code CLI (an AI coding agent) allowed attackers to bypass human-in-the-loop approval and escape the sandbox via indirect prompt injection. The flaw stemmed from the command validation system failing to evaluate shell commands inside process substitution expressions. Combined with the ability to set a dangerously_disable_sandbox flag without user consent, an attacker could embed a malicious payload in a repository README, causing Cortex to silently download and execute a shell script. The script could then steal cached Snowflake authentication tokens to exfiltrate data, drop tables, add backdoor users, or lock out legitimate users. A subagent context-loss bug further masked the attack by causing the main agent to warn the user about the malicious command after it had already been executed. The vulnerability was responsibly disclosed on Feb 5, 2026 and patched in Cortex Code CLI v1.0.25 on Feb 28, 2026.

Snowflake Cortex AI Escapes Sandbox and Executes Malware