May 2026: SQL Server Remote Code Execution Vulnerability
CVE-2026-40370 Published on May 12, 2026

SQL Server Remote Code Execution Vulnerability
External control of file name or path in SQL Server allows an authorized attacker to execute code over a network.

Vendor Advisory NVD

Weakness Type

External Control of File Name or Path

The software allows user input to control or influence paths or file names that are used in filesystem operations.

Products Associated with CVE-2026-40370

Want to know whenever a new CVE is published for Microsoft products? stack.watch will email you.

Microsoft Sql Server 2025

Microsoft Sql Server 2022

Microsoft Sql Server 2017

Microsoft Sql Server 2019

Microsoft Sql Server 2016

Affected Versions

Microsoft SQL Server 2016 Service Pack 3 (GDR):

Version 13.0.0 and below 13.0.6490.1 is affected.

Microsoft SQL Server 2016 Service Pack 3 Azure Connect Feature Pack:

Version 13.0.0 and below 13.0.7085.1 is affected.

Microsoft SQL Server 2017 (CU 31):

Version 14.0.0 and below 14.0.3530.2 is affected.

Microsoft SQL Server 2017 (GDR):

Version 14.0.0 and below 14.0.2110.2 is affected.

Microsoft SQL Server 2019 (CU 32):

Version 15.0.0.0 and below 15.0.4470.1 is affected.

Microsoft SQL Server 2019 (GDR):

Version 15.0.0 and below 15.0.2170.1 is affected.

Microsoft SQL Server 2022 (GDR):

Version 16.0.0 and below 16.0.1180.1 is affected.

Microsoft SQL Server 2022 for x64-based Systems (CU 24):

Version 16.0.0.0 and below 16.0.4252.3 is affected.

Microsoft SQL Server 2025 (CU 4):

Version 17.0.4040.1 and below 17.0.4040.1 is affected.

Microsoft SQL Server 2025 for x64-based Systems (GDR):

Version 17.0.1050.2 and below 17.0.1115.1 is affected.

May 2026: SQL Server Remote Code Execution VulnerabilityCVE-2026-40370 Published on May 12, 2026

Weakness Type

External Control of File Name or Path

Products Associated with CVE-2026-40370

Affected Versions

May 2026: SQL Server Remote Code Execution Vulnerability
CVE-2026-40370 Published on May 12, 2026