High-Severity SQL Server RCE and Auth0 Next.js Token Leak Disclosed
A high-severity vulnerability tracked as CVE-2026-33120 was disclosed in Microsoft SQL Server, where an untrusted pointer dereference can allow remote code execution by an authenticated attacker with low privileges. The flaw is rated CVSS 8.8 and can be exploited over the network without user interaction, with potential impact across confidentiality, integrity, and availability. Successful exploitation could lead to system-level compromise of the database server, enabling database theft, credential dumping, lateral movement, and possible tenant-isolation escape in shared or multi-tenant deployments.
A separate disclosure, CVE-2026-40155, affects the Auth0 Next.js SDK and stems from a race condition in the DPoP proxy fetcher that can expose one user’s session identifiers, access tokens, or API response data to another concurrent authenticated user. The issue is rated CVSS 5.4 and is considered harder to exploit because it depends on precise timing, DPoP challenges, and concurrent requests reaching the application tier. Its impact is focused on data confidentiality, with low integrity impact, no availability impact, a low EPSS score, and no listing in CISA’s Known Exploited Vulnerabilities catalog.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
CVE-2026-40155 in Auth0 Next.js SDK is publicly reported
A medium-severity race condition vulnerability, CVE-2026-40155, affecting the Auth0 Next.js SDK DPoP proxy fetcher is published with a CVSS 5.4 rating. The report says concurrent authenticated requests could expose one user's session identifiers, access tokens, or API responses to another user.
CVE-2026-33120 in Microsoft SQL Server is publicly reported
A high-severity remote code execution vulnerability, CVE-2026-33120, affecting Microsoft SQL Server is published with a CVSS 8.8 rating. The report says exploitation requires an authenticated low-privilege session and could lead to full compromise of the database server, including data theft and lateral movement.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
CVE-2026-40155: CVE-2026-40155: Race Condition in Auth0 Next.js SDK DPoP Proxy Fetcher | CVEReports
cvereports.com
Open sourceCVE-2026-33120: CVE-2026-33120: Remote Code Execution via Untrusted Pointer Dereference in Microsoft SQL Server | CVEReports
cvereports.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Microsoft Discloses RCE Flaws in SPNEGO NEGOEX and SQL Server Native Client
Microsoft published security advisories for two remote code execution vulnerabilities affecting distinct enterprise components: **CVE-2025-47981** in the **SPNEGO Extended Negotiation (`NEGOEX`) Security Mechanism** and **CVE-2024-49008** in **SQL Server Native Client**. Both issues were listed in the Microsoft Security Update Guide as remote code execution flaws, indicating that successful exploitation could allow arbitrary code to run in the context of the targeted component. The disclosures highlight risk across both authentication infrastructure and database connectivity software commonly used in Windows environments. Organizations relying on Microsoft authentication mechanisms or legacy SQL Server client components should review the relevant advisories, identify exposed systems, and prioritize vendor updates to reduce the chance of compromise through unpatched RCE paths.
May 25, 2026
Microsoft March Security Updates for Active Directory and SQL Server Privilege Escalation Flaws
Microsoft disclosed multiple **privilege escalation** vulnerabilities in core enterprise products, including **Active Directory Domain Services** and **SQL Server**, with public reporting highlighting network-reachable attack paths that require only authenticated or otherwise authorized access. **CVE-2026-25177** affects AD DS and was described as an elevation-of-privilege issue tied to improper restriction of file and resource names, enabling abuse of crafted Unicode characters to create duplicate `SPN` or `UPN` values. Reporting indicates this can interfere with Kerberos ticket handling, potentially causing denial of service, triggering fallback to **NTLM** where enabled, and ultimately enabling escalation to **SYSTEM**-level control in affected environments. Microsoft also disclosed **CVE-2026-21262** in **SQL Server**, an **Important**-rated flaw with a **CVSS 8.8** score that allows an authenticated attacker to elevate privileges to `sysadmin`, giving full control over the database instance. Public reporting said Microsoft assessed exploitation as **less likely** and had not observed active in-the-wild abuse at disclosure time, but noted the issue was publicly disclosed, increasing the risk of follow-on exploit development. Other referenced items about **ADCS ESC1**, **Cisco SD-WAN Manager**, and **n8n** concern separate products and unrelated vulnerabilities, while the standalone MSRC entry does not provide enough detail in the supplied content to confirm it is part of the same specific event.
Apr 16, 2026
Microsoft discloses SSRF flaws in Purview, Entra ID, and Dynamics 365 Online
Microsoft published three high-severity cloud-service vulnerabilities affecting **Microsoft Purview eDiscovery**, **Microsoft Entra ID Entitlement Management**, and **Microsoft Dynamics 365 Online**. The flaws are tracked as `CVE-2026-26150`, `CVE-2026-35431`, and `CVE-2026-32210`, and all are classified as **server-side request forgery (SSRF)** under `CWE-918`. Microsoft tagged each issue as affecting an **exclusively hosted service**, indicating exposure in Microsoft-managed online environments rather than on-premises deployments. According to the CVE records, `CVE-2026-26150` could let an unauthorized attacker elevate privileges over a network in Purview eDiscovery, while `CVE-2026-35431` and `CVE-2026-32210` could enable spoofing in Entra ID Entitlement Management and Dynamics 365 Online. The published `CVSS v3.1` vectors show low attack complexity and no required privileges across all three issues, with Entra ID carrying the broadest potential impact to confidentiality, integrity, and availability, and Dynamics 365 requiring user interaction. Microsoft linked the disclosures to its Security Response Center guidance for customer tracking and remediation.
May 24, 2026