CVE-2026-26148 — Vulnetix

Try Vulnetix Request Demo

CVE-2026-26148 PUBLISHED CVSS 8.100000381469727 HIGH

Improper access control in SQL Server allows an authorized attacker to elevate privileges over a network.

EPSS 0.10% · 27.7th percentile

Risk Scores

CVSS v3.1

8.100000381469727

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C

EPSS Score

0.10%

27.7th percentile

Affected Products

Vendor	Product	Versions
Microsoft	Microsoft SQL Server 2022 for x64-based Systems (CU 23)	16.0.0.0
Microsoft	Microsoft SQL Server 2016 Service Pack 3 Azure Connect Feature Pack	13.0.0
microsoft	sql_server_2017	14.0.0, 14.0.0
Microsoft	Microsoft SQL Server 2025 (CU 2)	17.0.0.0
microsoft	sql_server_2019	15.0.0.0, 15.0.0
microsoft	sql_server_2016	13.0.0, 13.0.0
Microsoft	Microsoft Azure AD SSH Login extension for Linux	1.0.0, 1.0.0, 1.0.0
Microsoft	Microsoft SQL Server 2017 (GDR)	14.0.0
Microsoft	Microsoft SQL Server 2025 for x64-based Systems (GDR)	17.0.1050.2
microsoft	azure_ad_ssh_login_extension_for_linux	1.0.0, 1.0.0, 1.0.0
microsoft	sql_server_2025	17.0.0.0, 17.0.1050.2
Microsoft	Microsoft SQL Server 2019 (GDR)	15.0.0
Microsoft	Microsoft SQL Server 2016 Service Pack 3 (GDR)	13.0.0
Microsoft	Microsoft SQL Server 2019 (CU 32)	15.0.0.0
Microsoft	Microsoft SQL Server 2017 (CU 31)	14.0.0
Microsoft	Microsoft SQL Server 2022 (GDR)	16.0.0
microsoft	sql_server_2022	16.0.0, 16.0.0.0

Timeline

Mar 10, 2026 CVE Published
Mar 10, 2026 PoC Published
Mar 10, 2026 PoC Published
Mar 10, 2026 PoC Published
Mar 10, 2026 PoC Published
Mar 10, 2026 PoC Published
Mar 11, 2026 EPSS Score
Mar 11, 2026 PoC Published
Mar 11, 2026 PoC Published
Mar 11, 2026 Security Advisory
Mar 11, 2026 CVE Updated
Mar 11, 2026 PoC Published

References

Open in Interactive Console →