DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-32167: CVE-2026-32167: Microsoft SQL Server Elevation of Privilege via Internal SQL Injection

#security #cve #cybersecurity

CVE-2026-32167: Microsoft SQL Server Elevation of Privilege via Internal SQL Injection

Vulnerability ID: CVE-2026-32167
CVSS Score: 6.7
Published: 2026-04-14

CVE-2026-32167 is an Elevation of Privilege vulnerability in Microsoft SQL Server caused by improper neutralization of special elements (SQL Injection). Affecting multiple versions from 2016 to 2025, the flaw permits authenticated attackers with high database privileges to execute arbitrary SQL commands under elevated permissions, potentially compromising the host system.

TL;DR

A critical SQL injection flaw in SQL Server internal system procedures allows highly privileged local users to escalate to full sysadmin or OS-level control. Patches are available in the April 2026 security updates.

⚠️ Exploit Status: ACTIVE

Technical Details

  • CWE ID: CWE-89
  • Attack Vector: Local
  • CVSS Score: 6.7 (Medium)
  • EPSS Score: 0.00053
  • Impact: Elevation of Privilege
  • Exploit Status: active

Affected Systems

  • Microsoft SQL Server 2016 SP3
  • Microsoft SQL Server 2017
  • Microsoft SQL Server 2019
  • Microsoft SQL Server 2022
  • Microsoft SQL Server 2025
  • SQL Server 2016 SP3: 13.0.0 to 13.0.6485.0 (Fixed in: 13.0.6485.1)
  • SQL Server 2017: 14.0.0 to 14.0.3525.0 (Fixed in: 14.0.3525.1)
  • SQL Server 2019: 15.0.0 to 15.0.4465.0 (Fixed in: 15.0.4465.1)
  • SQL Server 2022: 16.0.0 to 16.0.4250.0 (Fixed in: 16.0.4250.1)
  • SQL Server 2025: 17.0.1050.2 to 17.0.4030.0 (Fixed in: 17.0.4030.1)

Mitigation Strategies

  • Apply official Microsoft Patch Tuesday updates for April 2026
  • Enforce the principle of least privilege for database roles
  • Harden instance configuration by disabling xp_cmdshell

Remediation Steps:

  1. Identify all deployed SQL Server instances and their current CU/GDR versions.
  2. Download the applicable KB update (e.g., KB5084815 for SQL Server 2022).
  3. Schedule a maintenance window, as restarting the SQL Server service is required.
  4. Apply the patch and verify the updated version build number via 'SELECT @@version'.
  5. Audit existing high-privilege user accounts and revoke unnecessary 'db_owner' or administrative roles.

References

Read the full report for CVE-2026-32167 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)