MSSQL
CVE-2026-20803
HIGH
Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Missing authentication for critical function in SQL Server allows an authorized attacker to elevate privileges over a network.
AnalysisAI
Privilege escalation in SQL Server 2022 and 2025 stems from insufficient authentication controls on critical functions, enabling authenticated network attackers to gain elevated privileges. The vulnerability affects administrators and authenticated users with network access to affected SQL Server instances. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | High-privilege SQL Server account required; attacker must possess valid credentials for an authorized user with elevated permissions to access the vulnerable critical function over network. Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | CVSS 7.2 (HIGH). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A remote attacker could exploit this vulnerability to compromise the affected system. |
| Remediation | Monitor vendor advisories for a patch. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 7 days: Identify all affected systems and apply vendor patches promptly. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
An authenticated attacker with minimal permissions can exploit a SQL injection in the WorkTime server "widget" API endpo
The vulnerability, if exploited, could allow an authenticated miscreant (Process Optimization Standard User) to tamper
SQL injection in AnythingLLM versions 1.11.1 and earlier enables authenticated users to execute arbitrary SQL commands a
Mysql Server contains a vulnerability that allows attackers to unauthorized ability to cause a hang or frequently repeat
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are af
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are af
Mysql Server contains a vulnerability that allows attackers to unauthorized ability to cause a hang or frequently repeat
Mysql contains a vulnerability that allows attackers to unauthorized ability to cause a hang or frequently repeatable cr
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Parser). Supported versions that are affec
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are af
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are af
Mysql Server contains a vulnerability that allows attackers to unauthorized ability to cause a hang or frequently repeat
Share
External POC / Exploit Code
Leaving vuln.today