Cyber Resilience

CVE-2026-21262

High

Published: 10 March 2026

Published
10 March 2026
Modified
13 March 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0204 78.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-21262 is a high-severity Improper Access Control (CWE-284) vulnerability in Microsoft Sql Server 2016. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 21.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-21262, published on 2026-03-10, is an improper access control vulnerability (CWE-284) affecting SQL Server. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact across confidentiality, integrity, and availability.

The vulnerability can be exploited by an authorized attacker with low privileges over a network connection. Exploitation requires low complexity and no user interaction, allowing the attacker to elevate privileges on the affected SQL Server instance.

Mitigation details are available in the Microsoft Security Update Guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21262.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Improper access control in SQL Server allows an authorized attacker to elevate privileges over a network.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

Vulnerability enables privilege escalation via remote exploitation of improper access control in SQL Server by low-privileged authenticated attackers.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-24999Same product: Microsoft Sql Server 2016
CVE-2026-33120Same product: Microsoft Sql Server 2016
CVE-2026-26116Same product: Microsoft Sql Server 2016
CVE-2026-26115Same product: Microsoft Sql Server 2016
CVE-2025-53727Same product: Microsoft Sql Server 2016
CVE-2025-49759Same product: Microsoft Sql Server 2016
CVE-2025-59499Same product: Microsoft Sql Server 2016
CVE-2025-49758Same product: Microsoft Sql Server 2016
CVE-2025-55227Same product: Microsoft Sql Server 2016
CVE-2026-24290Same vendor: Microsoft

Affected Assets

microsoft
sql server 2016
13.0.6300.2 — 13.0.6480.4 · 13.0.7000.253 — 13.0.7075.5
microsoft
sql server 2017
14.0.1000.169 — 14.0.2100.4 · 14.0.3006.16 — 14.0.3520.4
microsoft
sql server 2019
15.0.2000.5 — 15.0.2160.4 · 15.0.4003.23 — 15.4460.4
microsoft
sql server 2022
16.0.1000.6 — 16.0.1170.5 · 16.0.4003.1 — 16.0.4240.4
microsoft
sql server 2025
17.0.1000.7 — 17.0.1105.2 · 17.0.4006.2 — 17.0.4020.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the improper access control flaw in SQL Server by applying vendor security patches.

prevent

Enforces least privilege to limit low-privileged users' ability to exploit the vulnerability for elevation.

prevent

Mandates enforcement of approved access authorizations, countering the improper access control allowing privilege escalation.

References