Microsoft patched this one in its Patch Tuesday on 10 March 2026. It is a privilege escalation in SQL Server rooted in an improper access control check: a user who already holds a valid account on the server can, over the network, end up with SQLAdmin rights, the sysadmin role that controls the entire instance. The CVSS score is 8.8, which puts it in the high band.
It was classed as a zero-day because it went public before a fix existed. The person who surfaced it was Erland Sommarskog, a well-known SQL Server MVP, off the back of his article “Packaging Permissions in Stored Procedures”, which looks at how permissions get delegated inside stored procedures. There are no reports of the flaw being used in attacks, so the disclosure was responsible and no active exploitation was recorded.
What actually breaks
The associated CWE is CWE-284, improper access control. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) tells most of the story. The attack comes over the network, needs no victim interaction, and only requires low privileges to start. You do not need to be an administrator. A limited account on the database is enough. From there the attacker can jump to sysadmin and, with that role, read, change or delete any data, alter the server configuration, or in many deployments run commands on the underlying operating system through xp_cmdshell or similar.
Confidentiality, integrity and availability all take a high hit. Once an attacker has sysadmin, nothing inside that instance is off limits.
Who is affected
The flaw reaches a wide range of supported versions:
- SQL Server 2016 Service Pack 3
- SQL Server 2017 (CU 31 and GDR branch)
- SQL Server 2019 (CU 32 and GDR branch)
- SQL Server 2022 (CU 23 and GDR branch)
- SQL Server 2025 (CU 2 and GDR branch)
All on x64 systems. If you run a SQL Server instance exposed to users with their own accounts, even low-privilege ones, this applies to you. The classic risk scenario is a database shared by several apps or teams, where not everyone should be able to reach sysadmin.
Mitigation
The fix is straightforward: apply the cumulative update or GDR that matches your branch. Microsoft shipped patches for every supported version on the day of the advisory. If you cannot patch right away, shrink the attack surface: review who has network-facing accounts on the instance, keep permissions at the minimum, and limit network access to the SQL Server port to the sources that genuinely need it.
This zero-day was part of the wider March batch. If you run Windows infrastructure, go through the rest of the bulletin in our March 2026 Patch Tuesday summary, where Microsoft fixed 79 flaws in total. For which server releases still get support, see the Windows Server page.
Source
- NVD - NIST: CVE-2026-21262