CVE-2026-40370 Microsoft CVE debrief

Who should care

Administrators and users of Microsoft SQL Server 2016, 2017, 2019, 2022, and 2025 should be aware of this vulnerability and take necessary actions to mitigate it. This vulnerability can be exploited by an authorized attacker to execute code over a network, which can lead to a compromise of the system.

Technical summary

The vulnerability is caused by an external control of file name or path in Microsoft SQL Server, which allows an authorized attacker to execute code over a network. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability affects various versions of SQL Server, including 2016, 2017, 2019, 2022, and 2025. The CWE for this vulnerability is CWE-73 and CWE-610.

Defensive priority

HIGH

Recommended defensive actions

• Apply the patches provided by Microsoft to vulnerable SQL Server instances
• Restrict network access to SQL Server instances to only necessary personnel
• Monitor SQL Server instances for suspicious activity
• Implement additional security measures such as firewalls and intrusion detection systems
• Regularly update and patch SQL Server instances
• Consider implementing a web application firewall to detect and prevent attacks

Evidence notes

The information provided is based on the CVE record and the NVD detail [nvd]. The CVE record was published on May 12, 2026, and was last modified on June 18, 2026 [cve-org]. The NVD detail provides additional information on the vulnerability, including the CVSS vector and CWE [nvd].

Official resources