Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-32167

CVE-2026-32167: SQL Server 2016 Privilege Escalation Flaw

CVE-2026-32167 is a privilege escalation vulnerability in Microsoft SQL Server 2016 caused by SQL injection. Authorized attackers can exploit this flaw to elevate privileges locally. This article covers technical details, affected versions, impact, and mitigation strategies.

Updated:

CVE-2026-32167 Overview

CVE-2026-32167 is a SQL injection vulnerability in Microsoft SQL Server that enables an authorized attacker to elevate privileges locally. The flaw stems from improper neutralization of special elements in SQL commands, classified as [CWE-89]. An authenticated user with low privileges can craft malicious SQL statements that the server processes with elevated context. Successful exploitation grants high impact to confidentiality, integrity, and availability of the database instance. Microsoft addressed the issue through its Security Update Guide, and the vulnerability affects every supported SQL Server release from 2016 through 2025.

Critical Impact

An authenticated local attacker can escalate privileges within the database engine, gaining full control over data, schema, and server availability.

Affected Products

  • Microsoft SQL Server 2016 (x64)
  • Microsoft SQL Server 2017, 2019, and 2022 (x64)
  • Microsoft SQL Server 2025 (x64)

Discovery Timeline

  • 2026-04-14 - CVE-2026-32167 published to NVD
  • 2026-05-07 - Last updated in NVD database

Technical Details for CVE-2026-32167

Vulnerability Analysis

The vulnerability resides in how SQL Server processes user-supplied input within certain SQL commands. The engine fails to neutralize special characters before incorporating attacker-controlled values into a query that executes with elevated privileges. An authorized attacker with database access can inject SQL syntax that breaks out of the intended query context. The injected statements run in a privilege boundary above the attacker's original role, producing privilege escalation inside the database instance. Because the attack vector is local and requires authentication, exploitation depends on the attacker already having a valid SQL Server login.

Root Cause

The root cause is improper neutralization of special elements used in an SQL command [CWE-89]. A code path concatenates untrusted input into a dynamically constructed SQL statement without parameterization or escaping. When that statement is executed under a higher-privileged module or context, the injected payload inherits those privileges.

Attack Vector

Exploitation requires local access with low privileges and no user interaction. An authenticated attacker submits crafted input through a SQL Server interface that reaches the vulnerable code path. The injected payload alters the executed query to perform actions reserved for higher-privileged roles, such as sysadmin or db_owner. The result is high impact across confidentiality, integrity, and availability.

No public proof-of-concept code is available. See the Microsoft Security Update Guide for vendor technical details.

Detection Methods for CVE-2026-32167

Indicators of Compromise

  • Unexpected creation of high-privileged logins or role memberships, such as additions to sysadmin or db_owner.
  • SQL Server error log entries showing failed or malformed dynamic SQL execution from low-privilege accounts.
  • Execution of xp_cmdshell, sp_configure, or extended stored procedures by accounts that have no business need for them.

Detection Strategies

  • Enable SQL Server Audit to capture SCHEMA_OBJECT_ACCESS_GROUP, SERVER_ROLE_MEMBER_CHANGE_GROUP, and DATABASE_PRINCIPAL_CHANGE_GROUP events.
  • Hunt for queries containing concatenated user input combined with control characters such as ;, --, or /* originating from application accounts.
  • Correlate SQL Server authentication events with subsequent privilege changes within short time windows.

Monitoring Recommendations

  • Forward SQL Server audit logs and Windows Security events to a centralized SIEM for correlation.
  • Baseline normal query patterns per application account and alert on deviations, especially privilege-related statements.
  • Review the Microsoft Security Update Guide entry for CVE-2026-32167 and align identification rules with vendor-published behavior.

How to Mitigate CVE-2026-32167

Immediate Actions Required

  • Apply the security update referenced in the Microsoft Security Update Guide for each affected SQL Server version.
  • Inventory all SQL Server 2016, 2017, 2019, 2022, and 2025 instances and prioritize internet-adjacent and production database tiers.
  • Audit SQL Server login accounts and remove unused or excessive privileges before patch deployment.

Patch Information

Microsoft has released fixes through the Security Update Guide covering SQL Server 2016, 2017, 2019, 2022, and 2025. Administrators should consult the vendor advisory for the cumulative update or GDR package that matches their build number, then validate the patched version using SELECT @@VERSION after deployment.

Workarounds

  • Restrict SQL Server logins to the minimum privileges required and avoid granting sysadmin to application accounts.
  • Enforce parameterized queries and stored procedures in application code paths that interact with SQL Server.
  • Limit local logon and remote access to database hosts using network segmentation and host firewall rules until patches are applied.
bash
# Verify SQL Server build after patching
sqlcmd -S localhost -Q "SELECT SERVERPROPERTY('ProductVersion') AS Version, SERVERPROPERTY('ProductLevel') AS Level;"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne