Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.8
SQL Server: Privilege Elevation via Malicious Input
CVE-2026-26115
Summary
A security flaw in SQL Server allows an authorized user to gain more access than they should have, potentially leading to unauthorized changes to sensitive data. This issue affects SQL Server installations and can be exploited over the network. To stay safe, ensure that input validation is properly configured and up-to-date security patches are applied.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| microsoft | sql_server_2016 | > 13.0.6300.2 , <= 13.0.6480.4 | – |
| microsoft | sql_server_2016 | > 13.0.7000.253 , <= 13.0.7075.5 | – |
| microsoft | sql_server_2017 | > 14.0.1000.169 , <= 14.0.2100.4 | – |
| microsoft | sql_server_2017 | > 14.0.3006.16 , <= 14.0.3520.4 | – |
| microsoft | sql_server_2019 | > 15.0.2000.5 , <= 15.0.2160.4 | – |
| microsoft | sql_server_2019 | > 15.0.4003.23 , <= 15.0.4460.4 | – |
| microsoft | sql_server_2022 | > 16.0.1000.6 , <= 16.0.1170.5 | – |
| microsoft | sql_server_2022 | > 16.0.4003.1 , <= 16.0.4240.4 | – |
| microsoft | sql_server_2025 | > 17.0.1000.7 , <= 17.0.1050.2 | – |
| microsoft | sql_server_2025 | > 17.0.4006.2 , <= 17.0.4020.2 | – |
Original title
Improper validation of specified type of input in SQL Server allows an authorized attacker to elevate privileges over a network.
Original description
Improper validation of specified type of input in SQL Server allows an authorized attacker to elevate privileges over a network.
nvd CVSS3.1
8.8
Vulnerability type
CWE-1287
Published: 10 Mar 2026 · Updated: 14 Mar 2026 · First seen: 11 Mar 2026