Description
Improper access control in SQL Server allows an authorized attacker to elevate privileges over a network.
Published: 2026-03-10
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

Improper access control in Microsoft SQL Server allows an authorized attacker to elevate privileges over a network. The vulnerability is a CWE-284 (Improper Privilege Management) flaw, enabling the attacker to gain higher-level permissions and potentially execute operations reserved for administrators, compromising the confidentiality, integrity, and availability of the affected system.

Affected Systems

The affected products are Microsoft SQL Server 2016 Service Pack 3, SQL Server 2016 Service Pack 3 Azure Connect Feature Pack, SQL Server 2017 (CU 31 and GDR), SQL Server 2019 (CU 32 and GDR), SQL Server 2022 (GDR and CU 23 for x64), and SQL Server 2025 (CU 2 and GDR for x64). The CVE data does not provide more granular version delineation beyond these packages, so all mentioned builds are considered vulnerable.

Risk and Exploitability

The CVSS v3.1 score is 8.8, indicating high severity. The EPSS score is <1%, suggesting limited public exploitation evidence, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be network-based, requiring an authorized but partially privileged user to invoke the flaw; exploitation does not require local system access.

Generated by OpenCVE AI on March 16, 2026 at 23:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest cumulative update for the affected SQL Server version as listed in the Microsoft Security Advisory for CVE-2026-21262
  • Restart the SQL Server service after the patch is installed
  • Verify that the updated access control policies are enforced and that no elevated privileges persist for unauthorized accounts
  • Monitor audit logs for any abnormal privilege escalation incidents
  • If a patch cannot be applied immediately, limit network exposure and enforce strict role-based access controls to mitigate the risk until remediation is possible.

Generated by OpenCVE AI on March 16, 2026 at 23:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:microsoft:sql_server_2016:*:*:*:*:*:*:x64:*
cpe:2.3:a:microsoft:sql_server_2017:*:*:*:*:*:*:x64:*

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft microsoft Sql Server 2016 Service Pack 3 (gdr)
Microsoft microsoft Sql Server 2016 Service Pack 3 Azure Connect Feature Pack
Microsoft microsoft Sql Server 2017 (cu 31)
Microsoft microsoft Sql Server 2017 (gdr)
Microsoft microsoft Sql Server 2019 (cu 32)
Microsoft microsoft Sql Server 2019 (gdr)
Microsoft microsoft Sql Server 2022 (gdr)
Microsoft microsoft Sql Server 2022 For X64-based Systems (cu 23)
Microsoft microsoft Sql Server 2025 (cu 2)
Microsoft microsoft Sql Server 2025 For X64-based Systems (gdr)
Vendors & Products Microsoft microsoft Sql Server 2016 Service Pack 3 (gdr)
Microsoft microsoft Sql Server 2016 Service Pack 3 Azure Connect Feature Pack
Microsoft microsoft Sql Server 2017 (cu 31)
Microsoft microsoft Sql Server 2017 (gdr)
Microsoft microsoft Sql Server 2019 (cu 32)
Microsoft microsoft Sql Server 2019 (gdr)
Microsoft microsoft Sql Server 2022 (gdr)
Microsoft microsoft Sql Server 2022 For X64-based Systems (cu 23)
Microsoft microsoft Sql Server 2025 (cu 2)
Microsoft microsoft Sql Server 2025 For X64-based Systems (gdr)

Tue, 10 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
Description Improper access control in SQL Server allows an authorized attacker to elevate privileges over a network.
Title SQL Server Elevation of Privilege Vulnerability
First Time appeared Microsoft
Microsoft sql Server 2016
Microsoft sql Server 2017
Microsoft sql Server 2019
Microsoft sql Server 2022
Microsoft sql Server 2025
Weaknesses CWE-284
CPEs cpe:2.3:a:microsoft:sql_server_2016:*:sp3:*:*:*:*:x64:*
cpe:2.3:a:microsoft:sql_server_2017:*:-:*:*:*:*:x64:*
cpe:2.3:a:microsoft:sql_server_2019:*:*:*:*:*:*:x64:*
cpe:2.3:a:microsoft:sql_server_2022:*:*:*:*:*:*:x64:*
cpe:2.3:a:microsoft:sql_server_2025:*:*:*:*:*:*:x64:*
Vendors & Products Microsoft
Microsoft sql Server 2016
Microsoft sql Server 2017
Microsoft sql Server 2019
Microsoft sql Server 2022
Microsoft sql Server 2025
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Microsoft Sql Server 2016 Service Pack 3 (gdr) Microsoft Sql Server 2016 Service Pack 3 Azure Connect Feature Pack Microsoft Sql Server 2017 (cu 31) Microsoft Sql Server 2017 (gdr) Microsoft Sql Server 2019 (cu 32) Microsoft Sql Server 2019 (gdr) Microsoft Sql Server 2022 (gdr) Microsoft Sql Server 2022 For X64-based Systems (cu 23) Microsoft Sql Server 2025 (cu 2) Microsoft Sql Server 2025 For X64-based Systems (gdr) Sql Server 2016 Sql Server 2017 Sql Server 2019 Sql Server 2022 Sql Server 2025
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-03-27T22:32:20.812Z

Reserved: 2025-12-11T21:02:05.737Z

Link: CVE-2026-21262

cve-icon Vulnrichment

Updated: 2026-03-10T18:40:15.451Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T18:18:06.190

Modified: 2026-03-13T19:33:50.047

Link: CVE-2026-21262

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T14:31:48Z

Weaknesses