Microsoft's July 14, 2026 Patch Tuesday brought a fix for CVE-2026-55002, an elevation-of-privilege vulnerability in SQL Server that could allow an authenticated local attacker to take full control of a database host. The flaw affects all supported versions from SQL Server 2016 through 2025, and its disclosure coincides exactly with the end of extended support for SQL Server 2016, making it a critical decision point for organizations still running that edition.
The Vulnerability: A File Path That Opens the Door
CVE-2026-55002 arises from a path-handling weakness in SQL Server, classified as CWE-73: External Control of File Name or Path. Microsoft hasn't released specific technical details, but vulnerabilities of this type generally occur when software permits an attacker to supply or influence a file path, then uses that path without properly restricting which directories are accessible. In a database engine that runs with high-level service account permissions, this can quickly become a path to full compromise.
The attack requires local access to the target system—this isn't something an external threat actor can fire off over the internet. An attacker must already have a foothold with low-level privileges on the machine. But once they do, exploitation is rated as low complexity, with no user interaction required. Microsoft assigns the flaw a CVSS 3.1 score of 7.8, with high impact on confidentiality, integrity, and availability. The scope is unchanged, meaning the vulnerable component and the impacted resources belong to the same security authority, but that authority can be completely undermined.
In real-world terms, this means a criminal who has stolen a valid but limited database login could use CVE-2026-55002 to elevate to the privileges of the SQL Server service account—typically a powerful identity with broad file system and network access. From there, they could steal data, deploy ransomware, or move laterally across the network. Security teams should treat this as a post-compromise escalation vector that amplifies the damage of any initial breach.
Your Affected Systems: Versions and Fixed Builds
The patch affects every major SQL Server release currently in active support: 2016, 2017, 2019, 2022, and the newly released 2025. Because SQL Server uses a branching servicing model with General Distribution Releases (GDR) and Cumulative Updates (CU), you must match the exact servicing branch on each instance. Applying a CU package from a GDR baseline forces a permanent switch to the CU track; there's no going back.
Here are the fixed build numbers for each affected release and servicing branch, as published by Microsoft:
| Version | Servicing Branch | Fixed Build |
|---|---|---|
| 2016 | SP3 GDR | 13.0.6500.1 |
| 2016 | Azure Connect Feature Pack | 13.0.7095.1 |
| 2017 | CU31 | 14.0.3540.1 |
| 2017 | GDR | 14.0.2120.1 |
| 2019 | CU32 | 15.0.4480.2 |
| 2019 | GDR | 15.0.2180.2 |
| 2022 | GDR | 16.0.1190.2 |
| 2022 | CU25 | 16.0.4262.2 |
| 2025 | GDR | 17.0.1125.2 |
For SQL Server 2025 CU6, Microsoft's advisory identifies the servicing line but did not immediately publish a specific build number. Administrators running that branch should consult the associated KB article for the correct version.
SQL Server 2016 Support Ends Today—Here's What That Means
July 14, 2026 marks the end of extended support for SQL Server 2016. After this date, Microsoft will no longer release regular security updates for the platform, including fixes for vulnerabilities rated Important or lower. The company does offer Extended Security Updates (ESUs), but these only cover flaws classified as Critical—and CVE-2026-55002 is rated Important, not Critical.
This makes the July 2026 Patch Tuesday release effectively the last comprehensive security update for SQL Server 2016. Even organizations that purchase ESUs for their 2016 installations will not receive protections against future Important-rated bugs. That stark reality should prompt immediate action. If you haven't already migrated off SQL Server 2016, you now have two urgent tasks: apply this patch, and finalize a plan to move to a supported version—whether that's SQL Server 2022, 2025, or a cloud-based option like Azure SQL Managed Instance.
The same date also marks the beginning of the third and final year of ESUs for SQL Server 2014, which runs through July 12, 2027. While Microsoft's advisory doesn't list 2014 as affected by this particular CVE, its shrinking support window underscores the broader need to treat aging database platforms as a priority risk.
How to Patch and Verify Your SQL Servers
There is no workaround or mitigation for CVE-2026-55002—the security update is the only defense. Follow these steps to protect your environment:
- Inventory your SQL Server landscape. Run a query against each instance to get the exact version and edition. For example:
SELECT @@VERSION. Compare the output against the fixed builds in the table above. - Download the correct update package from the Microsoft Update Catalog or through your patch management system, matching the version and servicing branch (GDR or CU). Be sure to select the right architecture (x64) and language.
- Test the update in a non-production mirror of your database environment, especially if you use availability groups, failover cluster instances, or replication. Validate that all databases come online, jobs run, and applications connect normally.
- Deploy the patch during a scheduled maintenance window following the recommended order for high-availability configurations. For clustered instances, update passive nodes first, fail over, then update the remaining node.
- Verify the installation by querying the version again and checking that the build number meets or exceeds the fixed baseline. Additionally, confirm that SQL Server Agent starts, backup jobs are successful, and no errors appear in the logs.
Because the attack requires local access and low privileges, there's less urgency than with a remote zero-day, but don't delay indefinitely. Every low-privileged user or compromised application on a host could become a launchpad.
What Comes Next
Microsoft has not indicated whether additional exploits for CVE-2026-55002 are under active development. With detailed vulnerability analysis typically emerging within weeks of Patch Tuesday, however, it's wise to assume that proof-of-concept code will appear. Patching now, before attackers can reverse-engineer the fix, keeps the advantage on your side.
For SQL Server 2016 holdouts, this update is the end of an era. It's the last free, broadly available security fix. The clock is ticking on migration. If you must remain on 2016 due to application compatibility, enroll in ESUs immediately—but accept that Important-rated flaws like today's won't be covered in the future. Plan your upgrade to SQL Server 2022 or 2025, or migrate to a managed Azure SQL service where Microsoft handles patching automatically.
Meanwhile, mark your calendar for the next Patch Tuesday. July's updates include fixes for other critical Windows components, and staying current remains your best defense.