Medium severity6.7NVD Advisory· Published Apr 14, 2026· Updated May 7, 2026

CVE-2026-32167

Description

Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges locally.

Affected products

Microsoft/Sql Server 2016
cpe:2.3:a:microsoft:sql_server_2016:*:*:*:*:*:*:x64:*
Range: >=13.0.6300.2,<13.0.6485.1
Microsoft/Sql Server 2017
cpe:2.3:a:microsoft:sql_server_2017:*:*:*:*:*:*:x64:*
Range: >=14.0.1000.169,<14.0.2105.1
Microsoft/Sql Server 2019
cpe:2.3:a:microsoft:sql_server_2019:*:*:*:*:*:*:x64:*
Range: >=15.0.2000.5,<15.0.2165.1
Microsoft/Sql Server 2022
cpe:2.3:a:microsoft:sql_server_2022:*:*:*:*:*:*:x64:*
Range: >=16.0.1000.6,<16.0.1175.1
Microsoft/Sql Server 2025
cpe:2.3:a:microsoft:sql_server_2025:*:*:*:*:*:*:x64:*
Range: >=17.0.1000.7,<17.0.1110.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32167nvdVendor Advisory

News mentions

No linked articles in our index yet.

cvss	0.436
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000