CVE-2026-26115
SQL Server Elevation of Privilege Vulnerability
In short
SQL Server fails to properly validate certain user inputs, allowing someone with legitimate access to gain higher privileges on the system over a network. This means an authorized user could become an administrator without permission.
Technical detail
An authenticated attacker can exploit improper input validation in SQL Server to escalate privileges over the network. The vulnerability requires valid credentials but allows lateral privilege elevation, potentially leading to full administrative control of the SQL Server instance.
Summary generated and translated by AI from the official description.
Improper validation of specified type of input in SQL Server allows an authorized attacker to elevate privileges over a network.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Affected products
Microsoft · Microsoft SQL Server 2016 Service Pack 3 Azure Connect Feature PackMicrosoft · Microsoft SQL Server 2016 Service Pack 3 (GDR)Microsoft · Microsoft SQL Server 2017 (CU 31)Microsoft · Microsoft SQL Server 2017 (GDR)Microsoft · Microsoft SQL Server 2019 (CU 32)Microsoft · Microsoft SQL Server 2019 (GDR)Microsoft · Microsoft SQL Server 2022 for x64-based Systems (CU 23)Microsoft · Microsoft SQL Server 2022 (GDR)Microsoft · Microsoft SQL Server 2025 (CU 2)Microsoft · Microsoft SQL Server 2025 for x64-based Systems (GDR)Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →