Description
Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges locally.
Published: 2026-04-14
Score: 6.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Local Privilege Escalation
Action: Apply Patch
AI Analysis

Impact

This SQL Server vulnerability results from improper handling of special elements inside SQL commands, effectively enabling a classic SQL injection attack. An attacker who already possesses authorized access to the server can inject malicious code, which is then executed by the database engine. The consequence is a local elevation of privileges, allowing the attacker to gain higher database or operating‑system rights and potentially access confidential data or modify system configuration.

Affected Systems

Microsoft SQL Server 2016 Service Pack 3 (GDR) and Azure Connect Feature Pack, Microsoft SQL Server 2017 CU 31 and GDR, Microsoft SQL Server 2019 CU 32 and GDR, Microsoft SQL Server 2022 GDR and x64 CU 24, and Microsoft SQL Server 2025 CU 3 and x64 GDR are affected. The issue spans both on‑premises deployments and Azure‑connected instances.

Risk and Exploitability

The CVSS score of 6.7 indicates a moderate severity. Exploitability is limited to users who already hold legitimate server access, as the flaw is local. Because the vulnerability is stored as a SQL injection, an attacker would need to craft a query that the database accepts and then trigger the elevated privileges. The EPSS score is not available and the flaw is not listed in the CISA KEV catalog, so it is not currently known to be actively exploited in the wild.

Generated by OpenCVE AI on April 14, 2026 at 19:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Download and install the security update for the affected SQL Server versions from Microsoft’s update guide.
  • Verify the installation by checking the applied update number or executing the version info query.
  • Apply the principle of least privilege to user accounts used by applications to minimize the impact of a potential injection.

Generated by OpenCVE AI on April 14, 2026 at 19:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft microsoft Sql Server 2016 Service Pack 3 (gdr)
Microsoft microsoft Sql Server 2016 Service Pack 3 Azure Connect Feature Pack
Microsoft microsoft Sql Server 2017 (cu 31)
Microsoft microsoft Sql Server 2017 (gdr)
Microsoft microsoft Sql Server 2019 (cu 32)
Microsoft microsoft Sql Server 2019 (gdr)
Microsoft microsoft Sql Server 2022 (gdr)
Microsoft microsoft Sql Server 2022 For X64-based Systems (cu 23)
Microsoft microsoft Sql Server 2025 (cu 2)
Microsoft microsoft Sql Server 2025 For X64-based Systems (gdr)
Vendors & Products Microsoft microsoft Sql Server 2016 Service Pack 3 (gdr)
Microsoft microsoft Sql Server 2016 Service Pack 3 Azure Connect Feature Pack
Microsoft microsoft Sql Server 2017 (cu 31)
Microsoft microsoft Sql Server 2017 (gdr)
Microsoft microsoft Sql Server 2019 (cu 32)
Microsoft microsoft Sql Server 2019 (gdr)
Microsoft microsoft Sql Server 2022 (gdr)
Microsoft microsoft Sql Server 2022 For X64-based Systems (cu 23)
Microsoft microsoft Sql Server 2025 (cu 2)
Microsoft microsoft Sql Server 2025 For X64-based Systems (gdr)

Tue, 14 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
Description Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges locally.
Title SQL Server Elevation of Privilege Vulnerability
First Time appeared Microsoft
Microsoft sql Server 2016
Microsoft sql Server 2017
Microsoft sql Server 2019
Microsoft sql Server 2022
Microsoft sql Server 2025
Weaknesses CWE-89
CPEs cpe:2.3:a:microsoft:sql_server_2016:*:sp3:*:*:*:*:x64:*
cpe:2.3:a:microsoft:sql_server_2017:*:-:*:*:*:*:x64:*
cpe:2.3:a:microsoft:sql_server_2019:*:*:*:*:*:*:x64:*
cpe:2.3:a:microsoft:sql_server_2022:*:*:*:*:*:*:x64:*
cpe:2.3:a:microsoft:sql_server_2025:*:*:*:*:*:*:x64:*
Vendors & Products Microsoft
Microsoft sql Server 2016
Microsoft sql Server 2017
Microsoft sql Server 2019
Microsoft sql Server 2022
Microsoft sql Server 2025
References
Metrics cvssV3_1

{'score': 6.7, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Microsoft Sql Server 2016 Service Pack 3 (gdr) Microsoft Sql Server 2016 Service Pack 3 Azure Connect Feature Pack Microsoft Sql Server 2017 (cu 31) Microsoft Sql Server 2017 (gdr) Microsoft Sql Server 2019 (cu 32) Microsoft Sql Server 2019 (gdr) Microsoft Sql Server 2022 (gdr) Microsoft Sql Server 2022 For X64-based Systems (cu 23) Microsoft Sql Server 2025 (cu 2) Microsoft Sql Server 2025 For X64-based Systems (gdr) Sql Server 2016 Sql Server 2017 Sql Server 2019 Sql Server 2022 Sql Server 2025
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-15T21:55:21.535Z

Reserved: 2026-03-11T00:26:53.425Z

Link: CVE-2026-32176

cve-icon Vulnrichment

Updated: 2026-04-14T19:09:06.381Z

cve-icon NVD

Status : Received

Published: 2026-04-14T18:17:20.013

Modified: 2026-04-14T18:17:20.013

Link: CVE-2026-32176

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T14:45:03Z

Weaknesses