Cyber Posture

CVE-2026-21262

High

Published: 10 March 2026

Published
10 March 2026
Modified
13 March 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0010 27.5th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

Security Summary

CVE-2026-21262, published on 2026-03-10, is an improper access control vulnerability (CWE-284) affecting SQL Server. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact across confidentiality, integrity, and availability.

The vulnerability can be exploited by an authorized attacker with low privileges over a network connection. Exploitation requires low complexity and no user interaction, allowing the attacker to elevate privileges on the affected SQL Server instance.

Mitigation details are available in the Microsoft Security Update Guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21262.

Details

CWE(s)
CWE-284

Affected Products

microsoft
sql server 2016
13.0.6300.2 — 13.0.6480.4 · 13.0.7000.253 — 13.0.7075.5
microsoft
sql server 2017
14.0.1000.169 — 14.0.2100.4 · 14.0.3006.16 — 14.0.3520.4
microsoft
sql server 2019
15.0.2000.5 — 15.0.2160.4 · 15.0.4003.23 — 15.4460.4
microsoft
sql server 2022
16.0.1000.6 — 16.0.1170.5 · 16.0.4003.1 — 16.0.4240.4
microsoft
sql server 2025
17.0.1000.7 — 17.0.1105.2 · 17.0.4006.2 — 17.0.4020.2

MITRE ATT&CK Enterprise Techniques

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
attack.mitre.org →
Why these techniques?

Vulnerability enables privilege escalation via remote exploitation of improper access control in SQL Server by low-privileged authenticated attackers.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References