Cyber Posture

CVE-2026-21262

High

Published: 10 March 2026

Published
10 March 2026
Modified
13 March 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0008 22.4th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-21262 is a high-severity Improper Access Control (CWE-284) vulnerability in Microsoft Sql Server 2016. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 22.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly remediates the improper access control flaw in SQL Server by applying vendor security patches.

AC-6 Least Privilege good match
prevent

Enforces least privilege to limit low-privileged users' ability to exploit the vulnerability for elevation.

AC-3 Access Enforcement good match
prevent

Mandates enforcement of approved access authorizations, countering the improper access control allowing privilege escalation.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
attack.mitre.org →
Why these techniques?

Vulnerability enables privilege escalation via remote exploitation of improper access control in SQL Server by low-privileged authenticated attackers.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Improper access control in SQL Server allows an authorized attacker to elevate privileges over a network.

Deeper analysisAI

CVE-2026-21262, published on 2026-03-10, is an improper access control vulnerability (CWE-284) affecting SQL Server. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact across confidentiality, integrity, and availability.

The vulnerability can be exploited by an authorized attacker with low privileges over a network connection. Exploitation requires low complexity and no user interaction, allowing the attacker to elevate privileges on the affected SQL Server instance.

Mitigation details are available in the Microsoft Security Update Guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21262.

Details

CWE(s)
CWE-284

Affected Products

microsoft
sql server 2016
13.0.6300.2 — 13.0.6480.4 · 13.0.7000.253 — 13.0.7075.5
microsoft
sql server 2017
14.0.1000.169 — 14.0.2100.4 · 14.0.3006.16 — 14.0.3520.4
microsoft
sql server 2019
15.0.2000.5 — 15.0.2160.4 · 15.0.4003.23 — 15.4460.4
microsoft
sql server 2022
16.0.1000.6 — 16.0.1170.5 · 16.0.4003.1 — 16.0.4240.4
microsoft
sql server 2025
17.0.1000.7 — 17.0.1105.2 · 17.0.4006.2 — 17.0.4020.2

CVEs Like This One

CVE-2025-24999Same product: Microsoft Sql Server 2016
CVE-2026-33120Same product: Microsoft Sql Server 2016
CVE-2026-26116Same product: Microsoft Sql Server 2016
CVE-2026-26115Same product: Microsoft Sql Server 2016
CVE-2025-49758Same product: Microsoft Sql Server 2016
CVE-2025-59499Same product: Microsoft Sql Server 2016
CVE-2025-49759Same product: Microsoft Sql Server 2016
CVE-2025-53727Same product: Microsoft Sql Server 2016
CVE-2025-55227Same product: Microsoft Sql Server 2016
CVE-2025-54914Same vendor: Microsoft

References