CVE-2026-21262
Received
Received - Intake
Improper Access Control in SQL Server Enables Privilege Escalation
Publication date: 2026-03-10
Last updated on: 2026-03-13
Assigner: Microsoft Corporation
Description
Description
Improper access control in SQL Server allows an authorized attacker to elevate privileges over a network.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| microsoft | sql_server_2016 | From 13.0.6300.2 (inc) to 13.0.6480.4 (exc) |
| microsoft | sql_server_2016 | From 13.0.7000.253 (inc) to 13.0.7075.5 (exc) |
| microsoft | sql_server_2017 | From 14.0.1000.169 (inc) to 14.0.2100.4 (exc) |
| microsoft | sql_server_2017 | From 14.0.3006.16 (inc) to 14.0.3520.4 (exc) |
| microsoft | sql_server_2019 | From 15.0.4003.23 (inc) to 15.4460.4 (exc) |
| microsoft | sql_server_2022 | From 16.0.1000.6 (inc) to 16.0.1170.5 (exc) |
| microsoft | sql_server_2022 | From 16.0.4003.1 (inc) to 16.0.4240.4 (exc) |
| microsoft | sql_server_2025 | From 17.0.1000.7 (inc) to 17.0.1105.2 (exc) |
| microsoft | sql_server_2025 | From 17.0.4006.2 (inc) to 17.0.4020.2 (exc) |
| microsoft | sql_server_2019 | From 15.0.2000.5 (inc) to 15.0.2160.4 (exc) |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
