Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.8
SQL Server Allows Unauthorized Privilege Elevation Over Network
CVE-2026-26116
Summary
An attacker who has access to a SQL Server database can exploit this issue to gain elevated privileges and potentially access sensitive data or disrupt the system. This is a serious concern because it could allow an attacker to gain control of the database or compromise the entire network. To mitigate this risk, ensure that all user input is properly sanitized and validated to prevent malicious SQL code from being executed.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| microsoft | sql_server_2016 | > 13.0.6300.2 , <= 13.0.6480.4 | – |
| microsoft | sql_server_2016 | > 13.0.7000.253 , <= 13.0.7075.5 | – |
| microsoft | sql_server_2017 | > 14.0.1000.169 , <= 14.0.2100.4 | – |
| microsoft | sql_server_2017 | > 14.0.3006.16 , <= 14.0.3520.4 | – |
| microsoft | sql_server_2019 | > 15.0.2000.5 , <= 15.0.2160.4 | – |
| microsoft | sql_server_2019 | > 15.0.4003.23 , <= 15.0.4460.4 | – |
| microsoft | sql_server_2022 | > 16.0.1000.6 , <= 16.0.1170.5 | – |
| microsoft | sql_server_2022 | > 16.0.4003.1 , <= 16.0.4240.4 | – |
| microsoft | sql_server_2025 | > 17.0.1000.7 , <= 17.0.1105.2 | – |
| microsoft | sql_server_2025 | > 17.0.4006.2 , <= 17.0.4020.2 | – |
Original title
Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges over a network.
Original description
Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges over a network.
nvd CVSS3.1
8.8
Vulnerability type
CWE-89
SQL Injection
Published: 10 Mar 2026 · Updated: 14 Mar 2026 · First seen: 11 Mar 2026