Remote Code Execution Vulnerability in SQL Server by Microsoft
CVE-2026-40370

8.8HIGH

Key Information:

Vendor: Microsoft
Status: Microsoft Sql Server 2016 Service Pack 3 (gdr); Microsoft Sql Server 2016 Service Pack 3 Azure Connect Feature Pack; Microsoft Sql Server 2017 (cu 31); Microsoft Sql Server 2017 (gdr)
Vendor: CVE Published:; 12 May 2026

What is CVE-2026-40370?

This vulnerability in SQL Server allows an authorized attacker to gain control over the filename or path parameters, potentially enabling them to execute arbitrary code remotely across the network. By exploiting this issue, attackers can compromise the integrity and confidentiality of the system, raising significant security concerns for organizations utilizing this software. It is crucial to address the associated risks by applying relevant security updates and patches.

Affected Version(s)

Microsoft SQL Server 2016 Service Pack 3 (GDR) x64-based Systems 13.0.0 < 13.0.6490.1

Microsoft SQL Server 2016 Service Pack 3 Azure Connect Feature Pack x64-based Systems 13.0.0 < 13.0.7085.1

Microsoft SQL Server 2017 (CU 31) x64-based Systems 14.0.0 < 14.0.3530.2

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE...

vendor-advisorypatch

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 12, 2026
Vulnerability Reserved
Apr 11, 2026

CVE-2026-40370 Data

JSON