Description
Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges locally.
Published: 2026-04-14
Score: 6.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Local Privilege Escalation
Action: Patch Now
AI Analysis

Impact

Improper neutralization of special elements in SQL Server SQL commands creates a classic SQL injection vulnerability that lets a local, authorized attacker inject and execute malicious queries. The injected code can bypass normal security controls and obtain higher privileges, allowing the attacker to gain administrative rights or access sensitive data. The weakness is a classic example of CWE‑89 SQL injection.

Affected Systems

Affected products are Microsoft SQL Server 2016 Service Pack 3 (GDR) and the Azure Connect Feature Pack, SQL Server 2017 (CU 31 and GDR), SQL Server 2019 (CU 32 and GDR), SQL Server 2022 (GDR and CU 24 for x64‑based systems), and SQL Server 2025 (CU 3 and the x64 GDR). All listed releases run on 64‑bit platforms.

Risk and Exploitability

The CVSS base score of 6.7 indicates moderate severity. EPSS data is not available, and the vulnerability is not listed in CISA’s KEV catalog, suggesting no publicly known exploits. The flaw requires a local, authenticated user with access to SQL Server; there is no mention of remote exploitation. Therefore the risk is moderate but any system with an affected SQL Server should patch promptly to eliminate the local privilege escalation pathway.

Generated by OpenCVE AI on April 14, 2026 at 20:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Microsoft security update released for CVE‑2026‑32167.
  • Verify all SQL Server instances are running a patched version (at least CU 31 for 2017, CU 32 for 2019, CU 24 for 2022, or CU 3 for 2025).
  • Restrict local user privileges and enforce least‑privilege principles.

Generated by OpenCVE AI on April 14, 2026 at 20:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft microsoft Sql Server 2016 Service Pack 3 Azure Connect Feature Pack
Microsoft microsoft Sql Server 2017 (gdr)
Microsoft microsoft Sql Server 2019 (gdr)
Microsoft microsoft Sql Server 2022 For X64-based Systems (cu 23)
Microsoft microsoft Sql Server 2025 For X64-based Systems (gdr)
Vendors & Products Microsoft microsoft Sql Server 2016 Service Pack 3 Azure Connect Feature Pack
Microsoft microsoft Sql Server 2017 (gdr)
Microsoft microsoft Sql Server 2019 (gdr)
Microsoft microsoft Sql Server 2022 For X64-based Systems (cu 23)
Microsoft microsoft Sql Server 2025 For X64-based Systems (gdr)

Wed, 15 Apr 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
Description Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges locally.
Title SQL Server Elevation of Privilege Vulnerability
First Time appeared Microsoft
Microsoft sql Server 2016
Microsoft sql Server 2017
Microsoft sql Server 2019
Microsoft sql Server 2022
Microsoft sql Server 2025
Weaknesses CWE-89
CPEs cpe:2.3:a:microsoft:sql_server_2016:*:sp3:*:*:*:*:x64:*
cpe:2.3:a:microsoft:sql_server_2017:*:-:*:*:*:*:x64:*
cpe:2.3:a:microsoft:sql_server_2019:*:*:*:*:*:*:x64:*
cpe:2.3:a:microsoft:sql_server_2022:*:*:*:*:*:*:x64:*
cpe:2.3:a:microsoft:sql_server_2025:*:*:*:*:*:*:x64:*
Vendors & Products Microsoft
Microsoft sql Server 2016
Microsoft sql Server 2017
Microsoft sql Server 2019
Microsoft sql Server 2022
Microsoft sql Server 2025
References
Metrics cvssV3_1

{'score': 6.7, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Microsoft Sql Server 2016 Service Pack 3 Azure Connect Feature Pack Microsoft Sql Server 2017 (gdr) Microsoft Sql Server 2019 (gdr) Microsoft Sql Server 2022 For X64-based Systems (cu 23) Microsoft Sql Server 2025 For X64-based Systems (gdr) Sql Server 2016 Sql Server 2017 Sql Server 2019 Sql Server 2022 Sql Server 2025
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-17T15:51:36.185Z

Reserved: 2026-03-10T23:09:43.266Z

Link: CVE-2026-32167

cve-icon Vulnrichment

Updated: 2026-04-15T09:09:14.733Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-14T18:17:19.417

Modified: 2026-04-17T15:10:35.607

Link: CVE-2026-32167

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T15:00:06Z

Weaknesses