As part of Microsoft’s March 2026 Security Update, an elevation of privilege vulnerability in Microsoft SQL Server, tracked as CVE-2026-21262, was disclosed and patched. The flaw arises from improper access control within SQL Server that allows an authenticated, low-privileged user to escalate their rights over the network to the highest built-in role on the database instance. According to the National Vulnerability Database (NVD), the issue has a CVSS v3.1 base score of 8.8 (High), reflecting the potential for complete compromise of affected SQL Server instances when exploited by an attacker with valid credentials.
The vulnerability affects supported releases of SQL Server and Microsoft has released security updates for SQL Server 2016, SQL Server 2017, SQL Server…