Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
High

SQL Server Elevation of Privilege Vulnerability

IdentifiersCVE-2026-21262CWE-284· Improper Access Control

CVE-2026-21262 is an elevation-of-privilege vulnerability in Microsoft SQL Server caused by improper access control. The issue affects SQL Server 2016 and later, including versions 2016, 2017, 2019, 2022, and 2025. According to the provided reporting, the flaw is in how SQL Server validates authorization requests, allowing an authorized or authenticated attacker to execute specially crafted commands over the network and elevate privileges within the SQL Server instance. Successful exploitation can promote a low-privileged SQL user to the SQL Server sysadmin role. Microsoft and multiple secondary sources describe the vulnerability as publicly disclosed prior to patch release, with a CVSS v3.1 base score of 8.8, and not known to be actively exploited at the time of disclosure.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an attacker with legitimate access to a vulnerable SQL Server instance to escalate privileges to SQL Server sysadmin. This can give the attacker effective full administrative control over the database instance, including the ability to read, modify, or potentially disrupt database contents and administrative configuration. In shared or multi-tenant SQL environments, this materially increases the risk of cross-database compromise, unauthorized administrative actions, and broader post-compromise abuse of the SQL environment.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by auditing SQL Server logins and role assignments, restricting explicit privileges to trusted accounts only, and enforcing least privilege for all database users and service accounts. Monitor SQL Server and database audit logs for anomalous privilege changes, unexpected role membership modifications, or suspicious administrative actions consistent with escalation to sysadmin. Limit network access to SQL Server instances to only required administrative and application paths, and review shared or multi-tenant deployments for unnecessary user access that could satisfy the prerequisite for exploitation.

Remediation

Patch, then assume compromise.

Apply Microsoft’s March 2026 security updates for affected SQL Server versions. The provided content states Microsoft released fixes for SQL Server 2016 through SQL Server 2025, including specific update tracks/KBs: SQL Server 2025 KB5077466 (CU2+GDR) and KB5077468 (RTM+GDR); SQL Server 2022 KB5077464 (CU23+GDR) and KB5077465 (RTM+GDR); SQL Server 2019 KB5077469 (CU32+GDR) and KB5077470 (RTM+GDR); SQL Server 2017 KB5077471 and KB5077472; SQL Server 2016 KB5077473 and KB5077474. For SQL Server instances hosted on Windows Azure IaaS, updates can be obtained through Microsoft Update or manual download from the Microsoft Download Center. Upgrade unsupported SQL Server deployments to supported releases so security fixes can be applied.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Microsoft CorporationSql Server 2016application
Microsoft CorporationSql Server 2017application
Microsoft CorporationSql Server 2019application
Microsoft CorporationSql Server 2022application
Microsoft CorporationSql Server 2025application

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

67 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

67 SOURCESView more in app
cyber security newsNews
Apr 16, 2026
31 High-Impact Vulnerabilities Exploited in March as Interlock Hits Cisco FMC Zero-Day

An actively exploited improper access control vulnerability affecting Microsoft SQL Server versions 2016, 2019, 2022, and 2025.

Read more
sentinelone blogNews
Mar 13, 2026
The Good, the Bad and the Ugly in Cybersecurity - Week 11

An SQL Server elevation-of-privilege vulnerability disclosed in Microsoft's Patch Tuesday release.

Read more
bank info securityNews
Mar 12, 2026
Breach Roundup: Russian State Actors Target Signal, WhatsApp

An elevation-of-privilege vulnerability in Microsoft SQL Server that could allow an authenticated attacker to gain SQLAdmin privileges over a network.

Read more
govinfosecurityNews
Mar 12, 2026
Breach Roundup: Russian State Actors Target Signal, WhatsApp

An elevation-of-privilege vulnerability in Microsoft SQL Server that could allow an authenticated attacker to gain SQLAdmin privileges over a network.

Read more
+16 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity46

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-21262
NVD
nvd.nist.gov/vuln/detail/CVE-2026-21262
MITRE CWE · CWE-284
Improper Access Control
Vendor Advisory
msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21262