Andreas Wolter 4/30/2026

When DROP USER Doesn’t Fully Drop Access: Stale EXTERNAL MODEL Permissions in SQL Server’s AI Integrations

Read Original

This article investigates a security-relevant design issue in SQL Server 2025's AI integration and vector search capabilities. It describes a permission lifecycle bug where EXTERNAL MODEL permissions remain in sys.database_permissions after a user is dropped, and the reused principal_id can cause stale permissions to attach to new principals. While direct privilege escalation requires additional credential permissions, overlapping credential access can lead to unintended access to external AI models. The article emphasizes the importance of deterministic security behavior in deprovisioning and access governance.

When DROP USER Doesn’t Fully Drop Access: Stale EXTERNAL MODEL Permissions in SQL Server’s AI Integrations

Comments

No comments yet

Be the first to share your thoughts!

Browser Extension

Get instant access to AllDevBlogs from your browser

Top of the Week

No top articles yet