Description
Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges over a network.
Published: 2026-03-10
Score: 8.8 High
EPSS: 1.2% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw originates from an improper sanitization of special characters in SQL statements, enabling a form of SQL injection. An authenticated user able to submit arbitrary SQL can use this weakness to raise their privileges within the database server. The injection bypasses normal boundaries, allowing the attacker to execute commands beyond the intended scope and threatening the confidentiality, integrity, and availability of the database.

Affected Systems

Affected products are Microsoft SQL Server 2025 CU 2 and Microsoft SQL Server 2025 for x64‑based systems (GDR). The vendor advisory references only these releases, even though the CPE data includes earlier SQL Server editions. Therefore only SQL Server 2025 variants are confirmed to be exploitable; other versions may not be impacted without further evidence.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, while the EPSS score of 1% signals a low likelihood of exploitation in the short term. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated database user with permission to execute SQL commands, typically over the network. After delivering a crafted statement, the attacker can increase their privileges, and monitoring of database activity can mitigate the risk.

Generated by OpenCVE AI on June 18, 2026 at 10:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Microsoft patch for SQL Server 2025 CU 2 or newer.
  • If the patch cannot be applied immediately, restrict or remove the ability of users to execute dynamic SQL and limit dynamic execution privileges.
  • Implement least‑privilege controls for database users and monitor for abnormal query patterns that may indicate injection attempts.

Generated by OpenCVE AI on June 18, 2026 at 10:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft sql Server 2016
Microsoft sql Server 2017
Microsoft sql Server 2019
Microsoft sql Server 2022
CPEs cpe:2.3:a:microsoft:sql_server_2016:*:*:*:*:*:*:x64:*
cpe:2.3:a:microsoft:sql_server_2017:*:*:*:*:*:*:x64:*
cpe:2.3:a:microsoft:sql_server_2019:*:*:*:*:*:*:x64:*
cpe:2.3:a:microsoft:sql_server_2022:*:*:*:*:*:*:x64:*
Vendors & Products Microsoft sql Server 2016
Microsoft sql Server 2017
Microsoft sql Server 2019
Microsoft sql Server 2022

Tue, 10 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 10 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
Description Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges over a network.
Title SQL Server Elevation of Privilege Vulnerability
First Time appeared Microsoft
Microsoft sql Server 2025
Weaknesses CWE-89
CPEs cpe:2.3:a:microsoft:sql_server_2025:*:*:*:*:*:*:x64:*
Vendors & Products Microsoft
Microsoft sql Server 2025
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}


Subscriptions

Microsoft Sql Server 2016 Sql Server 2017 Sql Server 2019 Sql Server 2022 Sql Server 2025
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-19T18:17:50.500Z

Reserved: 2026-02-11T15:52:13.910Z

Link: CVE-2026-26116

cve-icon Vulnrichment

Updated: 2026-03-10T17:51:07.592Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T18:18:40.827

Modified: 2026-06-17T10:25:45.137

Link: CVE-2026-26116

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T10:30:05Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')