Description
External control of file name or path in SQL Server allows an authorized attacker to execute code over a network.
Published: 2026-05-12
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an authorized attacker to control the file name or path used by SQL Server, enabling arbitrary code execution over the network. The flaw is identified as CWE‑73. Because the attacker can specify arbitrary file paths, the server may load or execute unintended code, leading to compromise of confidentiality, integrity, and availability of the database system.

Affected Systems

Affected are Microsoft SQL Server 2016 Service Pack 3 (including the GDR and Azure Connect Feature Pack), 2017 CU 31 and its GDR, 2019 CU 32 and its GDR, 2022 GDR and the x64 CU 24, as well as 2025 CU 4 and its GDR. All listed releases run on 64‑bit operating systems.

Risk and Exploitability

The CVSS score of 8.8 classifies the issue as high severity. EPSS is not available, making current exploitation likelihood uncertain, and it is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector involves an authorized user whose connection to SQL Server can dictate a file name or path; exploitation would require that the attacker has sufficient permissions to instruct the server to process the supplied path, after which arbitrary code can be executed.

Generated by OpenCVE AI on May 12, 2026 at 19:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Microsoft security update for the affected SQL Server releases to fix the file‑path handling flaw.
  • Limit SQL Server administration to strictly necessary privileges; review and reduce permissions for users who can issue file‑path inputs.
  • If the Azure Connect Feature Pack is not required, remove or disable it to shrink the attack surface.
  • Monitor SQL Server logs for anomalous file‑path requests and investigate any unauthorized attempts.

Generated by OpenCVE AI on May 12, 2026 at 19:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft microsoft Sql Server 2016 Service Pack 3 Azure Connect Feature Pack
Microsoft microsoft Sql Server 2017 (gdr)
Microsoft microsoft Sql Server 2019 (gdr)
Microsoft microsoft Sql Server 2022 For X64-based Systems (cu 23)
Microsoft microsoft Sql Server 2025 For X64-based Systems (gdr)
Vendors & Products Microsoft microsoft Sql Server 2016 Service Pack 3 Azure Connect Feature Pack
Microsoft microsoft Sql Server 2017 (gdr)
Microsoft microsoft Sql Server 2019 (gdr)
Microsoft microsoft Sql Server 2022 For X64-based Systems (cu 23)
Microsoft microsoft Sql Server 2025 For X64-based Systems (gdr)

Tue, 12 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description External control of file name or path in SQL Server allows an authorized attacker to execute code over a network.
Title SQL Server Remote Code Execution Vulnerability
First Time appeared Microsoft
Microsoft sql Server 2016
Microsoft sql Server 2017
Microsoft sql Server 2019
Microsoft sql Server 2022
Microsoft sql Server 2025
Weaknesses CWE-73
CPEs cpe:2.3:a:microsoft:sql_server_2016:*:sp3:*:*:*:*:x64:*
cpe:2.3:a:microsoft:sql_server_2017:*:-:*:*:*:*:x64:*
cpe:2.3:a:microsoft:sql_server_2019:*:*:*:*:*:*:x64:*
cpe:2.3:a:microsoft:sql_server_2022:*:*:*:*:*:*:x64:*
cpe:2.3:a:microsoft:sql_server_2025:*:*:*:*:*:*:x64:*
Vendors & Products Microsoft
Microsoft sql Server 2016
Microsoft sql Server 2017
Microsoft sql Server 2019
Microsoft sql Server 2022
Microsoft sql Server 2025
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Microsoft Sql Server 2016 Service Pack 3 Azure Connect Feature Pack Microsoft Sql Server 2017 (gdr) Microsoft Sql Server 2019 (gdr) Microsoft Sql Server 2022 For X64-based Systems (cu 23) Microsoft Sql Server 2025 For X64-based Systems (gdr) Sql Server 2016 Sql Server 2017 Sql Server 2019 Sql Server 2022 Sql Server 2025
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-05-12T17:54:19.686Z

Reserved: 2026-04-11T23:06:15.615Z

Link: CVE-2026-40370

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-12T18:17:16.147

Modified: 2026-05-12T18:17:16.147

Link: CVE-2026-40370

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T20:30:23Z

Weaknesses