Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.8
SQL Server allows attackers to gain extra access over a network
CVE-2026-21262
Summary
An attacker who already has access to a database can use a weakness in SQL Server to gain even more access and control over the network. This could allow them to disrupt or access sensitive data. To protect your database, update SQL Server to the latest version and ensure all users have the appropriate access permissions.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| microsoft | sql_server_2016 | > 13.0.6300.2 , <= 13.0.6480.4 | – |
| microsoft | sql_server_2016 | > 13.0.7000.253 , <= 13.0.7075.5 | – |
| microsoft | sql_server_2017 | > 14.0.1000.169 , <= 14.0.2100.4 | – |
| microsoft | sql_server_2017 | > 14.0.3006.16 , <= 14.0.3520.4 | – |
| microsoft | sql_server_2019 | > 15.0.2000.5 , <= 15.0.2160.4 | – |
| microsoft | sql_server_2019 | > 15.0.4003.23 , <= 15.4460.4 | – |
| microsoft | sql_server_2022 | > 16.0.1000.6 , <= 16.0.1170.5 | – |
| microsoft | sql_server_2022 | > 16.0.4003.1 , <= 16.0.4240.4 | – |
| microsoft | sql_server_2025 | > 17.0.1000.7 , <= 17.0.1105.2 | – |
| microsoft | sql_server_2025 | > 17.0.4006.2 , <= 17.0.4020.2 | – |
Original title
Improper access control in SQL Server allows an authorized attacker to elevate privileges over a network.
Original description
Improper access control in SQL Server allows an authorized attacker to elevate privileges over a network.
nvd CVSS3.1
8.8
Vulnerability type
CWE-284
Improper Access Control
Published: 10 Mar 2026 · Updated: 14 Mar 2026 · First seen: 11 Mar 2026