CVE-2026-40370 Overview
CVE-2026-40370 is a remote code execution vulnerability in Microsoft SQL Server caused by external control of file name or path [CWE-73]. An authorized attacker can manipulate file path inputs to execute arbitrary code over the network. The flaw requires low privileges and no user interaction, making it exploitable by any account with valid credentials to the database.
Microsoft published the advisory on May 12, 2026. The vulnerability affects SQL Server instances accessible over the network and can be leveraged to compromise confidentiality, integrity, and availability of the host system.
Critical Impact
An authenticated attacker can execute arbitrary code on SQL Server hosts by controlling file path parameters, leading to full database server compromise.
Affected Products
- Microsoft SQL Server (refer to the Microsoft advisory for specific build numbers)
- SQL Server instances exposed to network-accessible authenticated users
- Applications relying on affected SQL Server versions for backend storage
Discovery Timeline
- 2026-05-12 - CVE-2026-40370 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-40370
Vulnerability Analysis
The vulnerability stems from improper validation of file name or path inputs processed by SQL Server. An authenticated attacker submits crafted path values that the server resolves without adequate restriction. This allows the attacker to reference attacker-controlled files or trigger loading of unintended resources during database operations.
The attack vector is the network, and exploitation requires only low-privilege credentials. No user interaction is needed, which lowers the operational barrier for adversaries who have obtained any valid SQL Server login. Successful exploitation results in code execution within the SQL Server process context.
The Exploit Prediction Scoring System currently lists this CVE with a low near-term exploitation probability, but authenticated RCE flaws in database engines have historically attracted post-compromise exploitation by ransomware and intrusion operators.
Root Cause
The root cause is classified as [CWE-73] External Control of File Name or Path. SQL Server accepts file path parameters from authenticated users and uses them in privileged file operations without enforcing sufficient canonicalization or allow-list controls. The trust boundary between user-supplied path data and the server's file access logic is not enforced.
Attack Vector
Exploitation requires a valid SQL Server login with permission to invoke functionality that accepts a file path parameter. The attacker submits a malicious path referencing a remote share, symbolic link, or specially crafted local file. SQL Server processes the path, leading to code execution under the privileges of the SQL Server service account.
The vulnerability is exploitable in scenarios where SQL Server is reachable from internal networks, business partner networks, or where credential theft has occurred. Compromised application accounts or stolen developer credentials are common entry points.
Verified proof-of-concept code is not currently available. Refer to the Microsoft CVE-2026-40370 Update for technical details.
Detection Methods for CVE-2026-40370
Indicators of Compromise
- Unexpected outbound SMB or UNC path connections originating from the SQL Server service account
- SQL Server error log entries referencing file access failures on unusual paths
- Spawning of cmd.exe, powershell.exe, or other child processes from sqlservr.exe
- Unusual file read or write operations performed by the SQL Server process outside standard data directories
Detection Strategies
- Monitor process creation events where sqlservr.exe is the parent process and the child is a shell or scripting interpreter
- Audit SQL Server logins and track usage of stored procedures and functions that accept file path arguments
- Inspect network telemetry for SMB connections from database servers to non-corporate destinations
- Correlate authentication events with subsequent file system operations on the SQL Server host
Monitoring Recommendations
- Enable SQL Server audit logging for BACKUP, RESTORE, BULK INSERT, and OPENROWSET operations
- Forward Windows Security and Sysmon logs to a centralized SIEM for behavioral correlation
- Alert on any modification to SQL Server configuration that enables xp_cmdshell or external file access features
- Baseline normal file path arguments used by applications and flag deviations
How to Mitigate CVE-2026-40370
Immediate Actions Required
- Apply the Microsoft security update referenced in the Microsoft CVE-2026-40370 Update advisory
- Inventory all SQL Server instances and prioritize patching of internet-adjacent or business-critical servers
- Rotate credentials for any SQL Server accounts that may have been exposed to untrusted users
- Restrict network access to SQL Server using firewall rules and network segmentation
Patch Information
Microsoft has released a security update for affected SQL Server versions. Administrators must consult the Microsoft CVE-2026-40370 Update advisory for build-specific patch identifiers and apply the cumulative update or security-only rollup that corresponds to the deployed SQL Server edition.
Workarounds
- Revoke unnecessary permissions on stored procedures and functions that accept file path arguments
- Disable xp_cmdshell and other extended procedures that are not required for business operations
- Enforce least privilege on the SQL Server service account and remove local administrator rights where possible
- Limit SQL Server access to trusted application accounts and block direct user logins where feasible
# Example: disable xp_cmdshell on SQL Server
sqlcmd -S <server> -E -Q "EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 0; RECONFIGURE;"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
