Andreas Wolter 4/6/2026

SQL Server Privilege Escalation via DatabaseManager-role: Newly discovered Attack Paths Explained

Read Original

This article details two newly discovered privilege escalation paths in SQL Server where members of the ##MS_DatabaseManager## server-role can escalate to sysadmin. The first path abused the sp_syspolicy_purge_history stored procedure and was fixed in recent updates. The second path, which Microsoft decided not to fix, relies on database lifecycle operations and indirect execution through system components. The article emphasizes that ALTER ANY DATABASE permission is sufficient for the attack. It provides practical recommendations including reviewing permissions, implementing server auditing, and adding database auditing on system databases. The findings highlight risks from indirect execution paths, overly broad permissions, and assumptions about safe capabilities.

SQL Server Privilege Escalation via DatabaseManager-role: Newly discovered Attack Paths Explained

Comments

No comments yet

Be the first to share your thoughts!

Browser Extension

Get instant access to AllDevBlogs from your browser

Top of the Week

No top articles yet