CVE-2026-55002: Patch SQL Server Privilege Escalation Flaw

Microsoft has patched CVE-2026-55002, an Important-rated SQL Server elevation-of-privilege vulnerability that can let an authenticated local attacker gain greater control over a database host. The flaw affects supported servicing branches from SQL Server 2016 through SQL Server 2025, making the July 14, 2026 security updates relevant across a wide range of production deployments.
Detailed in Microsoft’s Security Update Guide and published alongside July’s Patch Tuesday releases, the vulnerability carries a CVSS 3.1 base score of 7.8. Microsoft describes the underlying weakness as external control of a file name or path, classified as CWE-73, and says successful exploitation could have a high impact on confidentiality, integrity, and availability.
This is not an unauthenticated attack that can be launched directly against any Internet-facing SQL Server. The attacker must already possess low-level privileges and must execute the attack locally, but no user interaction or unusual race condition is required.

A cybersecurity illustration shows a shielded database, hacker, warning icons, and a data-security timeline.A File Path Becomes a Privilege Boundary​

CVE-2026-55002 arises when SQL Server does not adequately control a file name or path used during an operation. Microsoft has not published the vulnerable function, exploit sequence, or resulting privilege level, limiting the amount of public information available to defenders and would-be attackers alike.
Weaknesses in the CWE-73 category generally occur when software accepts externally influenced path information without sufficiently restricting where that path can point. Depending on the affected operation and the permissions of the SQL Server service account, that can create opportunities to access, replace, or manipulate resources outside the location originally intended by the application.
Microsoft’s CVSS vector rates the attack as local, low complexity, requiring low privileges, and requiring no user interaction. Scope remains unchanged, meaning the vulnerable SQL Server component and the resources affected by exploitation remain within the same security authority, even though the projected technical impact is high across all three CVSS impact categories.
That combination matters in database environments. SQL Server frequently runs under dedicated service identities with access that ordinary application accounts do not have, so a flaw that crosses from an authorized but limited context into the server’s more privileged context can become a valuable second stage after an initial compromise.
The vulnerability should therefore be treated as a post-compromise escalation path, not dismissed simply because it lacks a remote, unauthenticated attack vector. An attacker who acquires a low-privileged account through stolen credentials, a vulnerable application, or another server flaw could potentially use CVE-2026-55002 to deepen that foothold.

Five SQL Server Generations Need Attention​

The National Vulnerability Database’s initial record, based on data supplied by Microsoft, lists affected x64 servicing branches across SQL Server 2016, 2017, 2019, 2022, and 2025. Administrators should compare installed builds with the corrected July releases rather than relying only on the SQL Server product name.
Affected versions include builds below these fixed thresholds:
  • SQL Server 2016 SP3 GDR installations require build 13.0.6500.1 or later.
  • SQL Server 2016 Azure Connect Feature Pack installations require build 13.0.7095.1 or later.
  • SQL Server 2017 CU31 installations require build 14.0.3540.1 or later.
  • SQL Server 2017 GDR installations require build 14.0.2120.1 or later.
  • SQL Server 2019 CU32 installations require build 15.0.4480.2 or later.
  • SQL Server 2019 GDR installations require build 15.0.2180.2 or later.
  • SQL Server 2022 GDR installations require build 16.0.1190.2 or later.
  • SQL Server 2022 CU25 installations require build 16.0.4262.2 or later.
  • SQL Server 2025 GDR installations require build 17.0.1125.2 or later.
Microsoft’s records also identify the SQL Server 2025 CU6 servicing line. Because SQL Server security packages are baseline-specific, administrators should use the update mapped to the exact CU or GDR branch installed on each machine rather than selecting a package solely by major version.
The distinction between GDR and CU packages is operationally important. A General Distribution Release security update is designed for systems following the security-only servicing branch, while a CU-based security update applies to systems that have adopted cumulative updates containing both security and functional fixes.
Applying a CU package moves a server onto the CU servicing path, and Microsoft does not support moving that installation back to the GDR branch. Inventory tools and deployment rings should therefore track the full SQL Server build, edition, architecture, and servicing baseline before administrators approve the July package.

SQL Server 2016 Reaches Its Support Fork​

The disclosure lands on a consequential date for older database estates: SQL Server 2016 reached the end of extended support on July 14, 2026. Microsoft’s lifecycle documentation says Extended Security Updates begin on the same date, with eligible customers able to receive Critical security fixes for up to three additional years.
CVE-2026-55002 is rated Important rather than Critical. Microsoft’s SQL Server ESU documentation says the program includes only vulnerabilities classified as Critical, raising an immediate lifecycle concern for organizations expecting paid extended coverage to function like ordinary extended support.
The July packages include corrected SQL Server 2016 builds because the vulnerability was released on the product’s final extended-support date. Future Important-rated flaws may not receive the same treatment under ESU, even for customers that have completed enrollment.
SQL Server 2014 customers face a related deadline. Its second year of ESU ended on July 14, 2026, leaving one final ESU year through July 12, 2027. Microsoft’s affected-product data for CVE-2026-55002 does not list SQL Server 2014, but the shrinking support window reinforces the need to separate vulnerability patching from longer-term platform planning.
For SQL Server 2016, installing this update should be accompanied by a decision about what happens next: enrollment in ESU for eligible Critical fixes, migration to SQL Server 2022 or SQL Server 2025, or movement to an Azure-hosted SQL option. Remaining on an unprotected 2016 deployment after applying the last broadly available updates only postpones the support problem.

Patch the Engine, Then Verify the Build​

Microsoft has not published a workaround or mitigation for CVE-2026-55002, leaving installation of the applicable security update as the direct remediation. CISA’s initial SSVC assessment recorded no known exploitation and classified the vulnerability as not readily automatable, but assigned a potential total technical impact.
Database teams should still avoid treating SQL Server patching as a routine Windows reboot. Availability groups, failover cluster instances, replication topologies, vendor-certified applications, and tightly controlled maintenance windows all require sequencing and validation.
After deployment, administrators should query the engine version and confirm that the returned build meets or exceeds the corrected baseline for that servicing branch. They should also verify that SQL Server Agent starts normally, databases recover cleanly, availability replicas reconnect, scheduled jobs resume, and application connection tests succeed.
The local and authenticated requirements provide room for staged testing, but they are not reasons to leave the flaw open indefinitely. Servers used by multiple applications, developers, reporting teams, or hosted database customers expose more opportunities for a low-privileged identity to reach the vulnerable operation.
CVE-2026-55002 is not the loudest vulnerability in the July 2026 release, but it crosses a sensitive boundary on systems that often contain an organization’s most valuable data. For SQL Server 2016 operators in particular, the corrected build is both a security update and a marker that normal support has ended.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Official source: learn.microsoft.com
  3. Official source: microsoft.com
  4. Official source: support.microsoft.com
  5. Official source: download.microsoft.com
 

Back
Top