External risk intelligence

Snowflake Datasource Vulnerability Allows Unauthorized File Access

CVE advisorySeverity: HIGH (CVSS 8.1)

CVE-2026-28381

The vulnerability resides in a Grafana Snowflake datasource plugin. While Grafana instances are frequently internet-facing, this specific functionality requires authenticated access to execute queries. Consequently, the plugin is typically used within internal data analysis workflows, limiting the exposure of this specific attack vector to broader public internet access.

Grafana Snowflake

1.14.7 to 1.14.12

Halo Surface Signal: 3 out of 5 — possibly public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory details a vulnerability in the Grafana Snowflake datasource plugin that could allow authenticated users to read or write files between the Grafana server and Snowflake. The core concern is confirming if this specific data integration is in use within your environment.

  • Data access allowed between Grafana and Snowflake.
  • Understand if sensitive data integration is exposed.
  • Verify usage of Snowflake datasource in Grafana.

Attack Path

How an attacker could exploit the issue

An attacker with authenticated access to Grafana could exploit the Snowflake data source feature. By crafting specific GET or PUT commands, they can read or write files between the Grafana server and the Snowflake host, potentially leading to unauthorized data access or modification.

  • Authenticated access required.
  • Triggers via GET/PUT commands.
  • Read/write files between hosts.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow any authenticated user to read or write files between the Grafana server and the Snowflake host by leveraging GET/PUT commands. The impact is dependent on the specific access rights the user has within Grafana and Snowflake.

  • Reads or writes to files on hosts.
  • Authenticated users can issue commands.
  • Unauthorized file access and modification.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in the Grafana Snowflake datasource impacts systems where users can run queries, potentially allowing unauthorized file read/write operations between the Grafana server and Snowflake hosts. Identifying affected Grafana instances, confirming their reachability and business criticality, and then locating the accountable owner are the crucial first steps to managing this risk. Remediation planning should follow this initial assessment.

  • Application or platform teams own remediation.
  • Verify Snowflake datasource access controls.
  • Plan maintenance for identified systems.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the Grafana Snowflake datasource plugin?

It is a software component within Grafana that connects your dashboard environment to Snowflake's data warehousing platform. Analysts use it to query Snowflake data and visualize it within Grafana reports. By facilitating this bridge, the plugin allows the Grafana server to exchange information with the Snowflake host, which is the specific communication channel impacted by this vulnerability.

How does CVE-2026-28381 impact file security?

This vulnerability is an improper access control issue where the plugin fails to restrict specific commands. By misusing the GET and PUT functions, an attacker can bypass intended data access boundaries to read or write files directly on the connected Grafana server or the Snowflake host, essentially gaining unauthorized file system interaction that should be blocked by the application.

Do I need to be an administrator to trigger this bug?

No, administrative privileges are not required. Any user who already has legitimate access to run queries against the Snowflake datasource within Grafana can potentially issue these unauthorized GET or PUT commands. However, the bug is not triggered by users who lack authorization to use the plugin or who are restricted from executing queries through the Grafana interface.

Is my Grafana instance at risk if it is internal?

According to Halo Surface Signal, this vulnerability is most relevant when the plugin is active in your environment, regardless of network placement. While internet-facing instances increase accessibility, the core risk remains centered on internal data workflows where users have authenticated access to the plugin. If your internal Grafana instance uses this datasource, it remains a point of concern.

How should I respond to CVE-2026-28381?

Your first step is to confirm whether the Snowflake datasource plugin is currently enabled or in use on your Grafana servers. If you identify active instances, consult with your application or platform teams to audit current access controls. Focus your effort on determining who has permission to run queries through this plugin and initiate a plan to restrict or update the integration to mitigate the risk of unauthorized file operations.