Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-21262

CVE-2026-21262: Microsoft SQL Server Privilege Escalation

CVE-2026-21262 is a privilege escalation vulnerability in Microsoft SQL Server 2016 caused by improper access control. Authorized attackers can exploit this flaw over a network to elevate privileges and gain unauthorized access.

Updated:

CVE-2026-21262 Overview

CVE-2026-21262 is an improper access control vulnerability [CWE-284] affecting multiple versions of Microsoft SQL Server. An authenticated attacker with low-level privileges can exploit the flaw over a network to elevate privileges within the database engine. Microsoft published the advisory on March 10, 2026, and the issue impacts SQL Server 2016, 2017, 2019, 2022, and 2025 on x64 platforms.

Successful exploitation grants attackers higher privileges, enabling read, modify, and delete access to data the original account could not reach. The vulnerability requires existing authentication but no user interaction, making it exploitable from compromised service accounts or low-privilege database users.

Critical Impact

An authorized attacker can elevate privileges across SQL Server 2016 through 2025, gaining full confidentiality, integrity, and availability impact on hosted databases.

Affected Products

  • Microsoft SQL Server 2016 (x64)
  • Microsoft SQL Server 2017 (x64)
  • Microsoft SQL Server 2019 (x64)
  • Microsoft SQL Server 2022 (x64)
  • Microsoft SQL Server 2025 (x64)

Discovery Timeline

  • 2026-03-10 - Microsoft publishes advisory for CVE-2026-21262
  • 2026-03-10 - CVE-2026-21262 published to NVD
  • 2026-03-13 - Last updated in NVD database

Technical Details for CVE-2026-21262

Vulnerability Analysis

The vulnerability falls under [CWE-284] Improper Access Control. Microsoft SQL Server fails to enforce access control checks correctly for an authenticated network user, permitting privilege escalation within the database engine context.

An attacker leverages an existing low-privilege SQL Server login to perform actions reserved for higher-privilege roles such as db_owner or sysadmin. The flaw operates at the network attack surface, meaning any client able to reach the SQL Server listener (typically TCP port 1433) and authenticate can attempt exploitation. EPSS data places the current exploit probability at 0.075%, but the high impact warrants prompt patching.

Root Cause

The root cause is missing or incorrectly evaluated authorization logic within SQL Server's permission enforcement layer. When the engine processes certain operations, it does not validate that the calling principal possesses the required permissions, allowing a low-privilege session to perform privileged actions. This is consistent with [CWE-284] weaknesses where the access control mechanism exists but is bypassed or applied inconsistently.

Attack Vector

The attack vector is network-based with low attack complexity. The attacker must hold a valid SQL Server credential, which is commonly obtained through compromised application service accounts, leaked connection strings, or stolen developer credentials. No user interaction is required. Once authenticated, the attacker issues crafted T-SQL statements or RPC calls against the database engine to trigger the improper access control path and obtain elevated privileges. Microsoft has not published technical exploitation details. Refer to the Microsoft Security Update Guide for vendor information.

Detection Methods for CVE-2026-21262

Indicators of Compromise

  • Unexpected role membership changes in sys.server_role_members or sys.database_role_members not tied to administrative activity.
  • SQL Server logins executing privileged statements such as CREATE LOGIN, ALTER SERVER ROLE, EXEC sp_addsrvrolemember, or xp_cmdshell from accounts that historically do not perform such actions.
  • Anomalous spikes in failed permission checks logged in the SQL Server error log preceding successful privileged operations.
  • New sysadmin or db_owner assignments correlated with low-privilege application service accounts.

Detection Strategies

  • Enable SQL Server Audit on SERVER_ROLE_MEMBER_CHANGE_GROUP, DATABASE_ROLE_MEMBER_CHANGE_GROUP, and SERVER_PERMISSION_CHANGE_GROUP and forward logs to a centralized analytics platform.
  • Baseline normal T-SQL behavior per application login and alert on deviations such as DDL or role management commands from accounts that only perform DML.
  • Correlate Windows authentication events with SQL Server login events to identify lateral movement between compromised hosts and database servers.

Monitoring Recommendations

  • Continuously monitor SQL Server error logs and Extended Events sessions for permission denied events followed by successful privileged operations from the same session.
  • Track outbound network connections from SQL Server hosts to detect post-exploitation activity such as data exfiltration or command-and-control beaconing.
  • Review service account inventories and rotate credentials for any account whose privilege boundaries cannot be verified.

How to Mitigate CVE-2026-21262

Immediate Actions Required

  • Apply the Microsoft security update referenced in the Microsoft Security Update Guide for every affected SQL Server instance.
  • Inventory all SQL Server 2016, 2017, 2019, 2022, and 2025 deployments, including clustered, Always On, and containerized instances.
  • Audit existing logins and remove unused accounts, enforcing least privilege for application service accounts.
  • Rotate credentials for any SQL Server login suspected of exposure prior to patching.

Patch Information

Microsoft has released updates for all affected SQL Server versions. Refer to the Microsoft Security Update Guide for cumulative update and GDR package details that map to each product version and servicing branch. Validate patches in a staging environment before deploying to production database clusters.

Workarounds

  • Restrict network access to SQL Server listeners using host-based firewalls, network segmentation, and private endpoints so only application tiers can reach TCP 1433.
  • Enforce strong authentication, disable legacy SQL logins where possible, and require Microsoft Entra or Windows Authentication.
  • Remove unnecessary permissions from application logins and ensure no application account holds sysadmin privilege.
  • Enable SQL Server Audit and stream events to a SIEM until patching is complete to provide rapid detection of exploitation attempts.
bash
# Example SQL Server Audit configuration for role and permission changes
USE master;
GO
CREATE SERVER AUDIT PrivEscAudit
    TO FILE (FILEPATH = 'D:\SQLAudit\', MAXSIZE = 100 MB, MAX_ROLLOVER_FILES = 10);
GO
ALTER SERVER AUDIT PrivEscAudit WITH (STATE = ON);
GO
CREATE SERVER AUDIT SPECIFICATION PrivEscAuditSpec
    FOR SERVER AUDIT PrivEscAudit
    ADD (SERVER_ROLE_MEMBER_CHANGE_GROUP),
    ADD (DATABASE_ROLE_MEMBER_CHANGE_GROUP),
    ADD (SERVER_PERMISSION_CHANGE_GROUP),
    ADD (DATABASE_PERMISSION_CHANGE_GROUP)
    WITH (STATE = ON);
GO

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne