CVE-2026-47296 is a Microsoft SQL Server elevation of privilege vulnerability described as an SQL injection issue. It has a CVSS v3.1 base score of 7.8 and temporal score of 6.8, with a local attack vector, low attack complexity, low privileges required, and no user interaction. Microsoft states that successful exploitation could grant sysadmin privileges, with high confidentiality, integrity, and availability impact. Exploit status is not publicly disclosed and not exploited, with exploit code maturity unproven. Because the vector is local rather than network-based, enterprise risk is more limited than for remotely exploitable issues, but it remains significant for systems where untrusted local access exists. Highlights: - CVSS scores: Base 7.8 - Temporal 6.8 - Exploit status & code maturity: Publicly Disclosed: No; Exploited: No; Exploit Code Maturity: UNPROVEN. - Impact: Elevation of Privilege; CIA impacts are HIGH / HIGH / HIGH. - Exploitation likelihood: Exploitation Less Likely; local vector (AV:L), low complexity, low privileges required, and no user interaction. - Severity for enterprise: High severity by CVSS, but enterprise exposure is lower than remote bugs because exploitation requires local access; still relevant on shared hosts or environments with untrusted local users or code. - Patch status: available; customer action required. Affected systems: - SQL Server 2025 CU6+GDR - SQL Server 2025 RTM+GDR - SQL Server 2022 CU25+GDR - SQL Server 2022 RTM+GDR - SQL Server 2019 CU32+GDR - SQL Server 2019 RTM+GDR - SQL Server 2017 CU31+GDR - SQL Server 2017 RTM+GDR - SQL Server 2016 Azure Connect Feature Pack+GDR - SQL Server 2016 SP3+GDR