Description
Improper access control in SQL Server allows an authorized attacker to elevate privileges over a network.
Published: 2026-03-10
Score: 8.8 High
EPSS: 2.0% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper access control flaw in Microsoft SQL Server that allows an authorized user with limited privileges to gain higher level permissions over the network. It is a CWE-284 (Improper Privilege Management) issue. Once exploited, the attacker can perform administrative actions, access sensitive data, modify schema, or execute arbitrary commands, thereby compromising confidentiality, integrity, and availability of the database instance.

Affected Systems

Microsoft SQL Server 2016 Service Pack 3 and its Azure Connect Feature Pack; SQL Server 2017 versions CU 31 and GDR; SQL Server 2019 versions CU 32 and GDR; SQL Server 2022 versions GDR and CU 23 (x64); SQL Server 2025 versions CU 2 and GDR (x64). All listed builds are vulnerable according to Microsoft’s advisory.

Risk and Exploitability

The flaw carries a CVSS v3.1 score of 8.8, which is considered high severity. The EPSS score of 2% indicates a low but non‑zero probability of exploitation in the wild, and the vulnerability is not listed in CISA’s KEV catalog. The attack vector is inferred to be network‑based, requiring the attacker to have network access to the SQL Server instance and be authorized with a user account that has some privileges, but it does not require local physical or administrative access. If exploited, the attacker can elevate to administrative privileges, gain access to all database objects, and potentially impact downstream applications.

Generated by OpenCVE AI on June 18, 2026 at 13:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply Microsoft's cumulative update for the affected SQL Server version as detailed in the CVE‑2026‑21262 advisory
  • Restart the SQL Server service following the installation of the update to ensure the new access‑control settings take effect
  • Limit the exposure of SQL Server by restricting connections to trusted networks and enforcing strict role‑based access controls until the patch can be deployed
  • Continuously monitor audit logs for unauthorized privilege changes and alert on anomalous activity

Generated by OpenCVE AI on June 18, 2026 at 13:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:microsoft:sql_server_2016:*:*:*:*:*:*:x64:*
cpe:2.3:a:microsoft:sql_server_2017:*:*:*:*:*:*:x64:*

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft microsoft Sql Server 2016 Service Pack 3 (gdr)
Microsoft microsoft Sql Server 2016 Service Pack 3 Azure Connect Feature Pack
Microsoft microsoft Sql Server 2017 (cu 31)
Microsoft microsoft Sql Server 2017 (gdr)
Microsoft microsoft Sql Server 2019 (cu 32)
Microsoft microsoft Sql Server 2019 (gdr)
Microsoft microsoft Sql Server 2022 (gdr)
Microsoft microsoft Sql Server 2022 For X64-based Systems (cu 23)
Microsoft microsoft Sql Server 2025 (cu 2)
Microsoft microsoft Sql Server 2025 For X64-based Systems (gdr)
Vendors & Products Microsoft microsoft Sql Server 2016 Service Pack 3 (gdr)
Microsoft microsoft Sql Server 2016 Service Pack 3 Azure Connect Feature Pack
Microsoft microsoft Sql Server 2017 (cu 31)
Microsoft microsoft Sql Server 2017 (gdr)
Microsoft microsoft Sql Server 2019 (cu 32)
Microsoft microsoft Sql Server 2019 (gdr)
Microsoft microsoft Sql Server 2022 (gdr)
Microsoft microsoft Sql Server 2022 For X64-based Systems (cu 23)
Microsoft microsoft Sql Server 2025 (cu 2)
Microsoft microsoft Sql Server 2025 For X64-based Systems (gdr)

Tue, 10 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 10 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
Description Improper access control in SQL Server allows an authorized attacker to elevate privileges over a network.
Title SQL Server Elevation of Privilege Vulnerability
First Time appeared Microsoft
Microsoft sql Server 2016
Microsoft sql Server 2017
Microsoft sql Server 2019
Microsoft sql Server 2022
Microsoft sql Server 2025
Weaknesses CWE-284
CPEs cpe:2.3:a:microsoft:sql_server_2016:*:sp3:*:*:*:*:x64:*
cpe:2.3:a:microsoft:sql_server_2017:*:-:*:*:*:*:x64:*
cpe:2.3:a:microsoft:sql_server_2019:*:*:*:*:*:*:x64:*
cpe:2.3:a:microsoft:sql_server_2022:*:*:*:*:*:*:x64:*
cpe:2.3:a:microsoft:sql_server_2025:*:*:*:*:*:*:x64:*
Vendors & Products Microsoft
Microsoft sql Server 2016
Microsoft sql Server 2017
Microsoft sql Server 2019
Microsoft sql Server 2022
Microsoft sql Server 2025
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}


Subscriptions

Microsoft Microsoft Sql Server 2016 Service Pack 3 (gdr) Microsoft Sql Server 2016 Service Pack 3 Azure Connect Feature Pack Microsoft Sql Server 2017 (cu 31) Microsoft Sql Server 2017 (gdr) Microsoft Sql Server 2019 (cu 32) Microsoft Sql Server 2019 (gdr) Microsoft Sql Server 2022 (gdr) Microsoft Sql Server 2022 For X64-based Systems (cu 23) Microsoft Sql Server 2025 (cu 2) Microsoft Sql Server 2025 For X64-based Systems (gdr) Sql Server 2016 Sql Server 2017 Sql Server 2019 Sql Server 2022 Sql Server 2025
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-19T18:17:19.420Z

Reserved: 2025-12-11T21:02:05.737Z

Link: CVE-2026-21262

cve-icon Vulnrichment

Updated: 2026-03-10T18:40:15.451Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T18:18:06.190

Modified: 2026-06-17T10:18:23.250

Link: CVE-2026-21262

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T13:45:05Z

Weaknesses