CVE-2026-26117 — Vulnetix

Try Vulnetix Request Demo

CVE-2026-26117 PUBLISHED CVSS 7.800000190734863 HIGH

Improper access control in SQL Server allows an authorized attacker to elevate privileges over a network.

EPSS 0.05% · 14.1th percentile

Risk Scores

CVSS v3.1

7.800000190734863

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

EPSS Score

0.05%

14.1th percentile

Affected Products

Vendor	Product	Versions
Microsoft	Microsoft SQL Server 2019 (GDR)	15.0.0
Microsoft	Microsoft SQL Server 2017 (GDR)	14.0.0
Microsoft	Microsoft SQL Server 2022 for x64-based Systems (CU 23)	16.0.0.0
microsoft	sql_server_2019	15.0.0.0, 15.0.0
microsoft	sql_server_2022	16.0.0, 16.0.0.0
Microsoft	Microsoft SQL Server 2016 Service Pack 3 Azure Connect Feature Pack	13.0.0
Microsoft	Microsoft SQL Server 2025 (CU 2)	17.0.0.0
Microsoft	Microsoft SQL Server 2025 for x64-based Systems (GDR)	17.0.1050.2
Microsoft	Microsoft SQL Server 2019 (CU 32)	15.0.0.0
Microsoft	Microsoft SQL Server 2016 Service Pack 3 (GDR)	13.0.0
Microsoft	Microsoft SQL Server 2017 (CU 31)	14.0.0
Microsoft	Microsoft SQL Server 2022 (GDR)	16.0.0
microsoft	arc_enabled_servers_azure_connected_machine_agent	1.0.0, 1.0.0, 1.0.0
microsoft	sql_server_2016	13.0.0, 13.0.0
microsoft	sql_server_2017	14.0.0, 14.0.0
microsoft	sql_server_2025	17.0.0.0, 17.0.1050.2
Microsoft	Arc Enabled Servers - Azure Connected Machine Agent	1.0.0, 1.0.0, 1.0.0

Timeline

Mar 10, 2026 CVE Published
Mar 10, 2026 PoC Published
Mar 10, 2026 PoC Published
Mar 10, 2026 PoC Published
Mar 10, 2026 PoC Published
Mar 10, 2026 PoC Published
Mar 11, 2026 EPSS Score
Mar 11, 2026 PoC Published
Mar 11, 2026 PoC Published
Mar 11, 2026 Security Advisory
Mar 11, 2026 PoC Published
Mar 11, 2026 PoC Published

References

Open in Interactive Console →