SQL Injection Vulnerability in SQL Server by Microsoft
CVE-2026-32176

6.7MEDIUM

Key Information:

Vendor: Microsoft
Status: Microsoft Sql Server 2016 Service Pack 3 (gdr); Microsoft Sql Server 2016 Service Pack 3 Azure Connect Feature Pack; Microsoft Sql Server 2017 (cu 31); Microsoft Sql Server 2017 (gdr)
Vendor: CVE Published:; 14 April 2026

What is CVE-2026-32176?

An issue exists in SQL Server where the improper handling of special elements in SQL commands can allow an authorized attacker to exploit the system to elevate their privileges locally. This weakness poses a significant risk to the integrity and confidentiality of the affected databases, making it essential for organizations to implement the available patches and review their security measures.

Affected Version(s)

Microsoft SQL Server 2016 Service Pack 3 (GDR) x64-based Systems 13.0.0 < 13.0.6485.1

Microsoft SQL Server 2016 Service Pack 3 Azure Connect Feature Pack x64-based Systems 13.0.0 < 13.0.7080.1

Microsoft SQL Server 2017 (CU 31) x64-based Systems 14.0.0 < 14.0.3525.1

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE...

vendor-advisorypatch

CVSS V3.1

Score:

6.7

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 14, 2026
Vulnerability Reserved
Mar 11, 2026

CVE-2026-32176 Data

JSON