Snowflake Datasource Unauthorized File Read/Write Access

CVE-2026-28381 represents a critical authorization bypass vulnerability in Grafana's Snowflake datasource integration. By exploiting GET/PUT command functionality, any user with query execution privileges can read and write arbitrary files between the Grafana server and connected Snowflake instances, bypassing intended access controls. This affects organizations using Grafana to visualize Snowflake data, potentially exposing sensitive datasets, configuration files, and enabling lateral movement through the data pipeline. With a CVSS score of 9.6, the vulnerability poses severe risk to data confidentiality, integrity, and availability across dependent systems.

While this vulnerability currently maps to zero Casky skills due to its specificity to Grafana-Snowflake integration, practitioners using Casky's Claude-powered analysis would benefit from detection patterns aligned with T1020 (Automated Exfiltration), T1048 (Exfiltration Over Alternative Protocol), and T1570 (Lateral Tool Transfer). Extended reasoning analysis would identify suspicious patterns such as: unexpected GET/PUT command execution in Snowflake query logs, large data transfers between Grafana and Snowflake outside normal analytical workflows, access to configuration or system files through datasource queries, and privilege escalation attempts leveraging file-write capabilities. Security teams should monitor for these behavioral indicators while awaiting skill coverage expansion specific to Grafana datasource vulnerabilities.