Skip to main content

MSSQL CVE-2026-20803

HIGH
Missing Authentication for Critical Function (CWE-306)
2026-01-13 secure@microsoft.com
7.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
CVE Published
Jan 13, 2026 - 18:16 nvd
HIGH 7.2

DescriptionCVE.org

Missing authentication for critical function in SQL Server allows an authorized attacker to elevate privileges over a network.

AnalysisAI

Privilege escalation in SQL Server 2022 and 2025 stems from insufficient authentication controls on critical functions, enabling authenticated network attackers to gain elevated privileges. The vulnerability affects administrators and authenticated users with network access to affected SQL Server instances. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Establish network connection to SQL Server
Exploit
Authenticate with high-privilege credentials
Execution
Invoke unauthenticated critical function
Impact
Escalate privileges to system level

Vulnerability AssessmentAI

Exploitation High-privilege SQL Server account required; attacker must possess valid credentials for an authorized user with elevated permissions to access the vulnerable critical function over network. Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 7.2 (HIGH). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A remote attacker could exploit this vulnerability to compromise the affected system.
Remediation Monitor vendor advisories for a patch. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 7 days: Identify all affected systems and apply vendor patches promptly. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in MSSQL

View all
CVE-2025-15560 HIGH
8.8 Feb 19

An authenticated attacker with minimal permissions can exploit a SQL injection in the WorkTime server "widget" API endpo

CVE-2025-61943 HIGH
8.4 Jan 16

The vulnerability, if exploited, could allow an authenticated miscreant (Process Optimization Standard User) to tamper

CVE-2026-32628 HIGH
7.7 Mar 13

SQL injection in AnythingLLM versions 1.11.1 and earlier enables authenticated users to execute arbitrary SQL commands a

CVE-2026-21968 MEDIUM
6.5 Jan 20

Mysql Server contains a vulnerability that allows attackers to unauthorized ability to cause a hang or frequently repeat

CVE-2026-21950 MEDIUM
6.5 Jan 20

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are af

CVE-2026-21949 MEDIUM
6.5 Jan 20

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are af

CVE-2026-21929 MEDIUM
5.3 Jan 20

Mysql Server contains a vulnerability that allows attackers to unauthorized ability to cause a hang or frequently repeat

CVE-2026-21964 MEDIUM
4.9 Jan 20

Mysql contains a vulnerability that allows attackers to unauthorized ability to cause a hang or frequently repeatable cr

CVE-2026-21952 MEDIUM
4.9 Jan 20

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Parser). Supported versions that are affec

CVE-2026-21948 MEDIUM
4.9 Jan 20

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are af

CVE-2026-21941 MEDIUM
4.9 Jan 20

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are af

CVE-2026-21937 MEDIUM
4.9 Jan 20

Mysql Server contains a vulnerability that allows attackers to unauthorized ability to cause a hang or frequently repeat

Share

CVE-2026-20803 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy