AI Sandbox Escape: What the Snowflake Cortex Vulnerability Teaches SREs
Just two days after Snowflake released their Cortex Code CLI, security researchers at PromptArmor discovered a vulnerability that let attackers bypass sandbox protections entirely. The full disclosure reveals an attack chain that should concern every SRE deploying AI coding assistants.
What Happened
Snowflake Cortex Code is a command-line AI coding agent similar to Claude Code or OpenAI Codex, with built-in Snowflake SQL integration. It includes sandbox modes that restrict network access, file operations, and require human approval for commands.
The vulnerability exploited a gap in command validation. By using shell process substitution expressions, malicious commands slipped through without triggering approval prompts. Combined with indirect prompt injection hidden in a repository README, attackers could make Cortex:
- Execute arbitrary commands without user consent
- Break out of the sandbox environment
- Access cached authentication tokens
- Run malicious operations against Snowflake instances
The Attack Chain in Detail
The attack starts when a user opens a project containing a poisoned README file. The prompt injection instructs Cortex to run a dangerous command wrapped in a way that bypasses validation. Once executed outside the sandbox, the script accesses cached Snowflake credentials and can exfiltrate data, drop tables, or add backdoor users.
What makes this particularly insidious: during testing, the main Cortex agent sometimes reported finding malicious commands and warned users not to run them, while a sub-agent had already executed those commands. Context loss between agent layers masked the actual breach.
Why SREs Should Care
AI coding assistants are becoming standard tools in development workflows. They run with your credentials, access your infrastructure, and operate with significant autonomy. The Snowflake incident highlights several risks:
- Sandbox trust is fragile. Validation gaps can turn sandboxes into security theater.
- Prompt injection is real. Untrusted data from repos, web searches, or database queries can manipulate agent behavior.
- Credential exposure amplifies impact. Cached tokens mean a local compromise becomes a cloud compromise.
- Non-deterministic attacks complicate detection. The ~50% success rate observed means traditional testing may miss the vulnerability.
Defensive Measures
If you deploy AI coding tools in your environment, consider these mitigations:
- Audit sandbox implementations. Review how your tools validate commands, especially shell expressions.
- Enforce workspace trust. Treat new repositories as untrusted until explicitly approved.
- Rotate credentials frequently. Limit the lifetime of cached authentication tokens.
- Monitor agent activity. Log all commands AI assistants execute, not just those requiring approval.
- Keep tools updated. Snowflake patched Cortex Code in version 1.0.25 on February 28, 2026.
Conclusion
The Snowflake Cortex sandbox escape is a wake-up call. AI agents are powerful productivity tools, but they expand your attack surface in ways traditional security models do not anticipate. The fix was deployed quickly, but the vulnerability existed for nearly a month after release.
As AI coding assistants become standard infrastructure, SRE teams need to treat them like any other privileged service: monitor, restrict, and verify.
Akmatori helps SRE teams automate operations with AI agents built for reliability. Hosted on Gcore infrastructure, we bring intelligent automation to your incident response and platform management workflows.