SQL Injection Vulnerability in Microsoft SQL Server
CVE-2026-32167

6.7MEDIUM

Key Information:

Vendor: Microsoft
Status: Microsoft Sql Server 2016 Service Pack 3 (gdr); Microsoft Sql Server 2016 Service Pack 3 Azure Connect Feature Pack; Microsoft Sql Server 2017 (cu 31); Microsoft Sql Server 2017 (gdr)
Vendor: CVE Published:; 14 April 2026

What is CVE-2026-32167?

An SQL injection vulnerability in Microsoft SQL Server enables authorized attackers to inject malicious SQL commands. This can allow them to escalate privileges locally, potentially compromising the integrity and confidentiality of the data and operations within the database. Organizations are urged to apply the latest security updates to mitigate the risks associated with this vulnerability.

Affected Version(s)

Microsoft SQL Server 2016 Service Pack 3 (GDR) x64-based Systems 13.0.0 < 13.0.6485.1

Microsoft SQL Server 2016 Service Pack 3 Azure Connect Feature Pack x64-based Systems 13.0.0 < 13.0.7080.1

Microsoft SQL Server 2017 (CU 31) x64-based Systems 14.0.0 < 14.0.3525.1

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE...

vendor-advisorypatch

CVSS V3.1

Score:

6.7

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 14, 2026
Vulnerability Reserved
Mar 10, 2026

CVE-2026-32167 Data

JSON