wid-sec-w-2026-0658 · Published 2026-03-10 · View on BSI CERT-Bund ↗

Microsoft SQL Server: Multiple Vulnerabilities allow Erlangen from Administratorrechten

CVSS 8.8 HIGH

Risk Summary

Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges over a network.

CVEs (3)

CVE-2026-21262 CVE-2026-26115 CVE-2026-26116

Affected Vendors

Microsoft

Affected Products (8)

Microsoft · SQL Server 2016 SP3 (GDR)

Microsoft · SQL Server 2016 SP3 Azure Connect Feature Pack

Microsoft · SQL Server 2017 (GDR)

Microsoft · SQL Server 2017 (CU 31)

Microsoft · SQL Server 2019 (GDR)

Microsoft · SQL Server 2019 (CU 32)

Microsoft · SQL Server 2022 (GDR)

Microsoft · SQL Server 2022 (CU 23)

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more