Last Wednesday I told you SQL Server got off easy in the May Patch Tuesday release. No critical, no public PoC, no headline. Apply the GDR or CU and move on.
I missed something. There was a SQL Server CVE worth talking about, and it got by me because the bug isn't in SQL Server. It's in SSIS.
CVE-2026-40370
CVSS 8.8. Published May 12. Microsoft's one-line description: 'External control of file name or path in SQL Server allows an authorized attacker to execute code over a network.' That reads like a SQL Server engine bug. It isn't.
The actual fix, per KB5089899 and the sibling KBs covering every supported version back to 2016 SP3:
This fix addresses an XML external entity (XXE) vulnerability in the Web Service Task that allows an attacker to read arbitrary files from the local file system or cause a denial-of-service (DoS) attack.
Fix area: Integration Services. Component: Integration Services. Platform: Windows.
That is a SSIS bug shipped under a SQL Server CVE number. If you don't run SSIS, the headline does not apply to you. If you do run SSIS and have any package using the Web Service Task, this is yours to deal with.
What XXE is, briefly
XML External Entity is an old class of XML parser vulnerability. The XML spec lets a document declare external entities, like references to content fetched from a URL or a local file at parse time. If the parser resolves those references and the application returns the result, an attacker who controls the XML can read files off the server.
The classic payload looks like this:
<?xml version="1.0"?> <!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///c:/windows/win.ini"> ]> <foo>&xxe;</foo>
A vulnerable parser fetches c:\windows\win.ini and substitutes the contents into the response. Swap in any path the SQL Server service account can read -- config files, certificates, credential stores, anything -- and you have file disclosure. Point the entity at a non-responsive server and you have a DoS.
OWASP has covered this for over a decade. The fix in modern XML parsers is to disable DTD processing and external entity resolution by default. Microsoft's KB confirms that is what shipped on May 12 for the Web Service Task.
Who is actually affected
Three conditions have to be true at the same time for this CVE to matter to your environment:
| Condition | Detail |
|---|---|
| You run SSIS | Integration Services installed on a Windows host running a supported SQL Server version. |
| At least one package uses Web Service Task | The control flow task that calls a SOAP web service. If your packages do not include it, the bug is not reachable. |
| An attacker can influence the XML | Microsoft classifies the attacker as 'authorized,' meaning they need permission to run packages or supply package input. Not unauthenticated. |
The third condition is what keeps this off the wormable list, and it is why I let it slide last week. 'Authorized attacker' is not nothing though. A user with SSIS execute permissions, a compromised application account, a malicious insider — any of those qualifies. And depending on which environment we are talking about, that could be a dozen people or a hundred.
One thing the bug description does not say is whether the vulnerability is reachable through package design alone, or only through runtime input. Until that is clear, the safe read is: if you have packages with the Web Service Task and any non-DBA can affect what XML those packages process, patch.
The patch matrix
Microsoft shipped a fix for every supported SQL Server version on May 12. Builds and KBs verified against Microsoft Support:
| Version | Servicing path | KB | Build |
|---|---|---|---|
| SQL Server 2016 SP3 | GDR | KB5089271 | 13.0.6490.1 |
| SQL Server 2017 | GDR | KB5090347 | 14.0.2110.2 |
| SQL Server 2019 | GDR | KB5090408 | 15.0.2170.1 |
| SQL Server 2022 | GDR | KB5091158 | 16.0.1180.1 |
| SQL Server 2022 | CU24 | KB5089900 | 16.0.4252.3 |
| SQL Server 2025 | GDR | KB5091223 | 17.0.1115.1 |
| SQL Server 2025 | CU4 | KB5089899 | 17.0.4040.1 |
Sibling KBs for the CU paths on 2016, 2017, and 2019 also shipped the same day. Check the Microsoft Security Update Guide for the package that matches your current build. As I noted last week, GDR and CU are separate lanes. Pick the one you have been applying.
SQL Server 2014 and earlier are out of mainstream support and do not appear in the May release. If you are on one of those and running SSIS, you are not getting this fix.
What to do this week
1. Inventory your packages.
Find every package that uses the Web Service Task. If your packages live in SSISDB, the project XML is queryable. If they live on the file system or in msdb, a recursive grep for STOCK:WebServiceTask in the .dtsx files will find them. Most shops have never inventoried which SSIS tasks are in use where. This is a good reason to start.
2. Identify who can supply input to those packages.
Any account that can execute the package, modify its variables at runtime, or supply the XML input it processes. SSIS catalog permissions, SQL Agent proxy accounts, application accounts calling the package via T-SQL -- all of them count.
3. Patch.
Apply the GDR or CU that matches your servicing path. The fix is in the SSIS runtime on the server, not the package itself. You do not need to redeploy packages.
4. If you cannot patch this week, look at your packages.
The Web Service Task is one of several tasks in SSIS that consume XML. If a package is reading XML from a source an untrusted user can influence, that is the exposure window. Consider disabling those packages until the patch lands.
What I should have said last week
'SQL Server got off easy' was true for the engine. It was not true for SSIS. A CVSS 8.8 RCE that ships under a SQL Server CVE number, with a fix in every supported version, deserves more than a footnote -- even when the attack surface is narrower than the headline suggests.
This is the second month in a row that the SQL Server CVE worth caring about is not actually in the engine. March was the sysadmin escalation in linked servers. May is XXE in the SSIS Web Service Task. The pattern is worth noting. The headline CVE rating tells you the score. It does not tell you which component shipped the fix or whether the bug is reachable in your environment. For that, you have to read the KB
Apologies for the miss. Patch your SSIS hosts this week.
Microsoft Security Response Center: CVE-2026-40370More to Read
Microsoft Security Update Guide: May 2026 Release Notes
KB5089899: SQL Server 2025 CU4 (canonical fix description)
OWASP: XML External Entity (XXE) Processing
sqlfingers inc: Patch Tuesday May 2026 — SQL Got Off Easy. Your Domain Didn't.
No comments:
Post a Comment