CVE-2026-20803 is a recently disclosed elevation-of-privilege vulnerability in Microsoft SQL Server that was included in Microsoft’s January 2026 Patch Tuesday security updates on January 13, 2026.

Vulnerability Details

• Product affected: Microsoft SQL Server (including versions such as SQL Server 2022 and later service releases).
• Type: Elevation of privilege due to missing authentication for a critical function (CWE-306).
• What it does: A flaw in SQL Server’s handling of authentication for an internal function can allow someone who already has authorized access to escalate privileges over a network.

Technical Severity

• CVSS v3.1 Base Score:7.2 (High severity)
  • Attack Vector: Network
  • Privileges Required: High
  • User Interaction: None
  • Impact: High on Confidentiality, Integrity, and Availability
• According to vulnerability trackers, exploitation is considered less likely at this stage and no public exploit is known yet, but the risk remains serious especially in environments where SQL Server is network-accessible.

Impact

• An attacker with existing high-level credentials on a vulnerable SQL Server could leverage this bug to gain higher system privileges, potentially allowing them to:
  • Dump memory contents
  • Access sensitive information
  • Open pathways for further compromise inside the network

Mitigation / Patch Status

• Microsoft has issued a security update addressing this flaw as part of its January 2026 Patch Tuesday. Affected organizations should apply the patch immediately to prevent potential exploitation.

Summary

CVE-2026-20803 is an important privilege-escalation vulnerability in Microsoft SQL Server caused by missing authentication checks. While active exploit code isn’t yet reported, its high impact rating and presence in enterprise database environments make prompt patching critical.