High-Severity SQL Server RCE and Auth0 Next.js Token Leak Disclosed
A high-severity vulnerability tracked as CVE-2026-33120 was disclosed in Microsoft SQL Server, where an untrusted pointer dereference can allow remote code execution by an authenticated attacker with low privileges. The flaw is rated CVSS 8.8 and can be exploited over the network without user interaction, with potential impact across confidentiality, integrity, and availability. Successful exploitation could lead to system-level compromise of the database server, enabling database theft, credential dumping, lateral movement, and possible tenant-isolation escape in shared or multi-tenant deployments.
A separate disclosure, CVE-2026-40155, affects the Auth0 Next.js SDK and stems from a race condition in the DPoP proxy fetcher that can expose one user’s session identifiers, access tokens, or API response data to another concurrent authenticated user. The issue is rated CVSS 5.4 and is considered harder to exploit because it depends on precise timing, DPoP challenges, and concurrent requests reaching the application tier. Its impact is focused on data confidentiality, with low integrity impact, no availability impact, a low EPSS score, and no listing in CISA’s Known Exploited Vulnerabilities catalog.
Timeline
Apr 21, 2026
CVE-2026-40155 in Auth0 Next.js SDK is publicly reported
A medium-severity race condition vulnerability, CVE-2026-40155, affecting the Auth0 Next.js SDK DPoP proxy fetcher is published with a CVSS 5.4 rating. The report says concurrent authenticated requests could expose one user's session identifiers, access tokens, or API responses to another user.
Apr 14, 2026
CVE-2026-33120 in Microsoft SQL Server is publicly reported
A high-severity remote code execution vulnerability, CVE-2026-33120, affecting Microsoft SQL Server is published with a CVSS 8.8 rating. The report says exploitation requires an authenticated low-privilege session and could lead to full compromise of the database server, including data theft and lateral movement.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Sources
Related Stories
Microsoft March Security Updates for Active Directory and SQL Server Privilege Escalation Flaws
Microsoft disclosed multiple **privilege escalation** vulnerabilities in core enterprise products, including **Active Directory Domain Services** and **SQL Server**, with public reporting highlighting network-reachable attack paths that require only authenticated or otherwise authorized access. **CVE-2026-25177** affects AD DS and was described as an elevation-of-privilege issue tied to improper restriction of file and resource names, enabling abuse of crafted Unicode characters to create duplicate `SPN` or `UPN` values. Reporting indicates this can interfere with Kerberos ticket handling, potentially causing denial of service, triggering fallback to **NTLM** where enabled, and ultimately enabling escalation to **SYSTEM**-level control in affected environments. Microsoft also disclosed **CVE-2026-21262** in **SQL Server**, an **Important**-rated flaw with a **CVSS 8.8** score that allows an authenticated attacker to elevate privileges to `sysadmin`, giving full control over the database instance. Public reporting said Microsoft assessed exploitation as **less likely** and had not observed active in-the-wild abuse at disclosure time, but noted the issue was publicly disclosed, increasing the risk of follow-on exploit development. Other referenced items about **ADCS ESC1**, **Cisco SD-WAN Manager**, and **n8n** concern separate products and unrelated vulnerabilities, while the standalone MSRC entry does not provide enough detail in the supplied content to confirm it is part of the same specific event.
2 weeks ago
Microsoft discloses SSRF flaws in Purview, Entra ID, and Dynamics 365 Online
Microsoft published three high-severity cloud-service vulnerabilities affecting **Microsoft Purview eDiscovery**, **Microsoft Entra ID Entitlement Management**, and **Microsoft Dynamics 365 Online**. The flaws are tracked as `CVE-2026-26150`, `CVE-2026-35431`, and `CVE-2026-32210`, and all are classified as **server-side request forgery (SSRF)** under `CWE-918`. Microsoft tagged each issue as affecting an **exclusively hosted service**, indicating exposure in Microsoft-managed online environments rather than on-premises deployments. According to the CVE records, `CVE-2026-26150` could let an unauthorized attacker elevate privileges over a network in Purview eDiscovery, while `CVE-2026-35431` and `CVE-2026-32210` could enable spoofing in Entra ID Entitlement Management and Dynamics 365 Online. The published `CVSS v3.1` vectors show low attack complexity and no required privileges across all three issues, with Entra ID carrying the broadest potential impact to confidentiality, integrity, and availability, and Dynamics 365 requiring user interaction. Microsoft linked the disclosures to its Security Response Center guidance for customer tracking and remediation.
1 weeks ago
RCE in next-mdx-remote When Server-Side Rendering Untrusted MDX
HashiCorp disclosed **HCSEC-2026-01** (tracked as **CVE-2026-0969** / **GHSA-g4xw-jxrg-5f6m**) affecting the *next-mdx-remote* library used by Next.js applications to render MDX content. The flaw can lead to **arbitrary code execution** when applications **server-side render untrusted MDX** due to insufficient sanitization in the `serialize` compilation path, particularly when JavaScript expressions in MDX are permitted; the issue is categorized as **CWE-94 (code injection)** and reported with a **CVSS 3.1 score of 8.8 (High)**. Guidance from the Canadian Centre for Cyber Security and third-party analysis both recommend updating affected deployments. Impacted versions are reported as **4.3.0 through 5.0.0** (Cyber Centre advisory) and **4.3.0 up to but not including 6.0.0** (Socket), with remediation available in **6.0.0**; the 6.0.0 release also changes defaults to reduce exposure by disabling JavaScript expressions by default (`blockJS: true`) and adding additional guardrails when dangerous JS is explicitly enabled (e.g., best-effort blocking of constructs like `eval`, `Function`, `process`, and `require`).
1 months ago