Medium severity6.7NVD Advisory· Published Apr 14, 2026· Updated May 7, 2026
CVE-2026-32167
CVE-2026-32167
Description
Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges locally.
Affected products
5cpe:2.3:a:microsoft:sql_server_2016:*:*:*:*:*:*:x64:*+ 4 more
- cpe:2.3:a:microsoft:sql_server_2016:*:*:*:*:*:*:x64:*range: >=13.0.6300.2,<13.0.6485.1
- cpe:2.3:a:microsoft:sql_server_2017:*:*:*:*:*:*:x64:*range: >=14.0.1000.169,<14.0.2105.1
- cpe:2.3:a:microsoft:sql_server_2019:*:*:*:*:*:*:x64:*range: >=15.0.2000.5,<15.0.2165.1
- cpe:2.3:a:microsoft:sql_server_2022:*:*:*:*:*:*:x64:*range: >=16.0.1000.6,<16.0.1175.1
- cpe:2.3:a:microsoft:sql_server_2025:*:*:*:*:*:*:x64:*range: >=17.0.1000.7,<17.0.1110.1
Patches
Vulnerability mechanics
References
1- msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32167nvdVendor Advisory
News mentions
1- Patch Tuesday - April 2026Rapid7 Blog · Apr 14, 2026