CVE-2026-21262

Improper access control in SQL Server allows an authorized attacker to elevate privileges over a network.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21262	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:microsoft:sql_server_2016:::::::x64:*
	cpe:2.3:a:microsoft:sql_server_2016:::::::x64:*
	cpe:2.3:a:microsoft:sql_server_2017:::::::x64:*
	cpe:2.3:a:microsoft:sql_server_2017:::::::x64:*
	cpe:2.3:a:microsoft:sql_server_2019:::::::x64:*
	cpe:2.3:a:microsoft:sql_server_2019:::::::x64:*
	cpe:2.3:a:microsoft:sql_server_2022:::::::x64:*
	cpe:2.3:a:microsoft:sql_server_2022:::::::x64:*
	cpe:2.3:a:microsoft:sql_server_2025:::::::x64:*
	cpe:2.3:a:microsoft:sql_server_2025:::::::x64:*

History

13 Mar 2026, 19:33

Type	Values Removed	Values Added
CPE		cpe:2.3:a:microsoft:sql_server_2019:::::::x64:* cpe:2.3:a:microsoft:sql_server_2022:::::::x64:* cpe:2.3:a:microsoft:sql_server_2025:::::::x64:* cpe:2.3:a:microsoft:sql_server_2016:::::::x64:* cpe:2.3:a:microsoft:sql_server_2017:::::::x64:*
References	~~() https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21262 -~~	() https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21262 - Vendor Advisory
First Time		Microsoft sql Server 2022 Microsoft Microsoft sql Server 2019 Microsoft sql Server 2025 Microsoft sql Server 2016 Microsoft sql Server 2017
Summary		(es) Control de acceso inadecuado en SQL Server permite a un atacante autorizado elevar privilegios a través de una red.

10 Mar 2026, 18:18

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-10 18:18

Updated : 2026-03-13 19:33

NVD link : CVE-2026-21262

Mitre link : CVE-2026-21262

CVE.ORG link : CVE-2026-21262

JSON object : View

Products Affected

microsoft

sql_server_2016
sql_server_2022
sql_server_2017
sql_server_2025
sql_server_2019

CWE

CWE-284

Improper Access Control

{"id": "CVE-2026-21262", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "secure@microsoft.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2026-03-10T18:18:06.190", "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21262", "tags": ["Vendor Advisory"], "source": "secure@microsoft.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "secure@microsoft.com", "description": [{"lang": "en", "value": "CWE-284"}]}], "descriptions": [{"lang": "en", "value": "Improper access control in SQL Server allows an authorized attacker to elevate privileges over a network."}, {"lang": "es", "value": "Control de acceso inadecuado en SQL Server permite a un atacante autorizado elevar privilegios a trav\u00e9s de una red."}], "lastModified": "2026-03-13T19:33:50.047", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:sql_server_2016:*:*:*:*:*:*:x64:*", "vulnerable": true, "matchCriteriaId": "0512F204-5C6C-416C-BAE9-37A46C517A5B", "versionEndExcluding": "13.0.6480.4", "versionStartIncluding": "13.0.6300.2"}, {"criteria": "cpe:2.3:a:microsoft:sql_server_2016:*:*:*:*:*:*:x64:*", "vulnerable": true, "matchCriteriaId": "FF21E018-C759-44FA-B1BF-1A97054606E7", "versionEndExcluding": "13.0.7075.5", "versionStartIncluding": "13.0.7000.253"}, {"criteria": "cpe:2.3:a:microsoft:sql_server_2017:*:*:*:*:*:*:x64:*", "vulnerable": true, "matchCriteriaId": "36B7482B-D75C-4EFD-AD60-251BAD0A9FE4", "versionEndExcluding": "14.0.2100.4", "versionStartIncluding": "14.0.1000.169"}, {"criteria": "cpe:2.3:a:microsoft:sql_server_2017:*:*:*:*:*:*:x64:*", "vulnerable": true, "matchCriteriaId": "AAE03DE1-E3F6-4450-9B06-695C0BEC4517", "versionEndExcluding": "14.0.3520.4", "versionStartIncluding": "14.0.3006.16"}, {"criteria": "cpe:2.3:a:microsoft:sql_server_2019:*:*:*:*:*:*:x64:*", "vulnerable": true, "matchCriteriaId": "EB3E749F-531E-4516-A23E-C62FB6564CE3", "versionEndExcluding": "15.0.2160.4", "versionStartIncluding": "15.0.2000.5"}, {"criteria": "cpe:2.3:a:microsoft:sql_server_2019:*:*:*:*:*:*:x64:*", "vulnerable": true, "matchCriteriaId": "06D61310-5AD1-4CFB-9416-EA47CEE5479B", "versionEndExcluding": "15.4460.4", "versionStartIncluding": "15.0.4003.23"}, {"criteria": "cpe:2.3:a:microsoft:sql_server_2022:*:*:*:*:*:*:x64:*", "vulnerable": true, "matchCriteriaId": "930A8DB4-E8DF-4C8B-8D7C-43DDB705D5E6", "versionEndExcluding": "16.0.1170.5", "versionStartIncluding": "16.0.1000.6"}, {"criteria": "cpe:2.3:a:microsoft:sql_server_2022:*:*:*:*:*:*:x64:*", "vulnerable": true, "matchCriteriaId": "DA833891-A29B-46C0-8945-693E70C0AA57", "versionEndExcluding": "16.0.4240.4", "versionStartIncluding": "16.0.4003.1"}, {"criteria": "cpe:2.3:a:microsoft:sql_server_2025:*:*:*:*:*:*:x64:*", "vulnerable": true, "matchCriteriaId": "9498FF0D-E8A3-4430-AE23-EC2BF0631002", "versionEndExcluding": "17.0.1105.2", "versionStartIncluding": "17.0.1000.7"}, {"criteria": "cpe:2.3:a:microsoft:sql_server_2025:*:*:*:*:*:*:x64:*", "vulnerable": true, "matchCriteriaId": "EE7E80DA-728A-4BA2-9D72-71577FE83723", "versionEndExcluding": "17.0.4020.2", "versionStartIncluding": "17.0.4006.2"}], "operator": "OR"}]}], "sourceIdentifier": "secure@microsoft.com"}