CVE-2026-26115
Received
Received - Intake
Privilege Escalation via Input Validation Flaw in SQL Server
Publication date: 2026-03-10
Last updated on: 2026-03-13
Assigner: Microsoft Corporation
Description
Description
Improper validation of specified type of input in SQL Server allows an authorized attacker to elevate privileges over a network.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| microsoft | sql_server_2016 | From 13.0.6300.2 (inc) to 13.0.6480.4 (exc) |
| microsoft | sql_server_2016 | From 13.0.7000.253 (inc) to 13.0.7075.5 (exc) |
| microsoft | sql_server_2017 | From 14.0.1000.169 (inc) to 14.0.2100.4 (exc) |
| microsoft | sql_server_2017 | From 14.0.3006.16 (inc) to 14.0.3520.4 (exc) |
| microsoft | sql_server_2022 | From 16.0.1000.6 (inc) to 16.0.1170.5 (exc) |
| microsoft | sql_server_2022 | From 16.0.4003.1 (inc) to 16.0.4240.4 (exc) |
| microsoft | sql_server_2025 | From 17.0.4006.2 (inc) to 17.0.4020.2 (exc) |
| microsoft | sql_server_2019 | From 15.0.2000.5 (inc) to 15.0.2160.4 (exc) |
| microsoft | sql_server_2019 | From 15.0.4003.23 (inc) to 15.0.4460.4 (exc) |
| microsoft | sql_server_2025 | From 17.0.1000.7 (inc) to 17.0.1050.2 (exc) |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-1287 | The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type. |
