CVE-2026-23661 — Vulnetix

Try Vulnetix Request Demo

CVE-2026-23661 PUBLISHED CVSS 7.5 HIGH

Improper access control in SQL Server allows an authorized attacker to elevate privileges over a network.

EPSS 0.04% · 11.6th percentile

Risk Scores

CVSS v3.1

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C

EPSS Score

0.04%

11.6th percentile

Affected Products

Vendor	Product	Versions
microsoft	sql_server_2022	16.0.0.0, 16.0.0
Microsoft	Microsoft SQL Server 2022 (GDR)	16.0.0
Microsoft	Microsoft SQL Server 2025 for x64-based Systems (GDR)	17.0.1050.2
Microsoft	Microsoft SQL Server 2017 (CU 31)	14.0.0
Microsoft	Azure IoT Explorer	1.0.0, 1.0.0, 1.0.0
Microsoft	Microsoft SQL Server 2017 (GDR)	14.0.0
Microsoft	Microsoft SQL Server 2016 Service Pack 3 (GDR)	13.0.0
microsoft	azure_iot_explorer	1.0.0, 1.0.0, 0
microsoft	sql_server_2025	17.0.0.0, 17.0.1050.2
microsoft	sql_server_2019	15.0.0, 15.0.0.0
microsoft	sql_server_2017	14.0.0, 14.0.0
Microsoft	Microsoft SQL Server 2016 Service Pack 3 Azure Connect Feature Pack	13.0.0
Microsoft	Microsoft SQL Server 2025 (CU 2)	17.0.0.0
Microsoft	Microsoft SQL Server 2019 (GDR)	15.0.0
Microsoft	Microsoft SQL Server 2019 (CU 32)	15.0.0.0
Microsoft	Microsoft SQL Server 2022 for x64-based Systems (CU 23)	16.0.0.0
microsoft	sql_server_2016	13.0.0, 13.0.0

Timeline

Mar 10, 2026 CVE Published
Mar 10, 2026 PoC Published
Mar 10, 2026 PoC Published
Mar 10, 2026 PoC Published
Mar 10, 2026 PoC Published
Mar 10, 2026 PoC Published
Mar 11, 2026 EPSS Score
Mar 11, 2026 PoC Published
Mar 11, 2026 PoC Published
Mar 11, 2026 Security Advisory
Mar 11, 2026 PoC Published
Mar 11, 2026 PoC Published

References

Open in Interactive Console →