CVE-2026-21262
SQL Server Elevation of Privilege Vulnerability
Basic Information
- CVE State
- PUBLISHED
- Reserved Date
- December 11, 2025
- Published Date
- March 10, 2026
- Last Updated
- April 14, 2026
- Vendor
- Microsoft
- Product
- Microsoft SQL Server 2016 Service Pack 3 (GDR), Microsoft SQL Server 2016 Service Pack 3 Azure Connect Feature Pack, Microsoft SQL Server 2017 (CU 31), Microsoft SQL Server 2017 (GDR), Microsoft SQL Server 2019 (CU 32), Microsoft SQL Server 2019 (GDR), Microsoft SQL Server 2022 (GDR), Microsoft SQL Server 2022 for x64-based Systems (CU 23), Microsoft SQL Server 2025 (CU 2), Microsoft SQL Server 2025 for x64-based Systems (GDR)
- Description
- Improper access control in SQL Server allows an authorized attacker to elevate privileges over a network.
CVSS Scores
CVSS v3.1
8.8 - HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
SSVC Information
- Exploitation
- none
- Technical Impact
- total
Exploit Status
- Exploited in the Wild
- Yes (2026-04-19 13:46:00 UTC) Source
Known Exploited Vulnerability Information
| Source | Added Date |
|---|---|
| The Shadowserver (via CIRCL) | 2026-04-19 13:46:00 UTC |
Timeline
-
CVE ID Reserved
-
CVE Published to Public
-
Added to KEVIntel