Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Sparx Pro Cloud Server is vulnerable to Broken Access Control within communication with the database. Due to lack of permission checks, any low privileged user can run arbitrary SQL queries within database user context.
The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.1 (build 167) and below were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
AnalysisAI
Broken access control in Sparx Systems Pro Cloud Server 6.1 (build 167) and earlier allows authenticated low-privileged users to execute arbitrary SQL queries against the backend database with the database user's privileges. The flaw stems from missing permission checks in the database communication layer, effectively granting any logged-in user the ability to read or modify any data the service account can access. No public exploit identified at time of analysis, but technical write-ups have been published by CERT-PL and independent researchers.
Technical ContextAI
Sparx Pro Cloud Server is the multi-user collaboration backend for Sparx Enterprise Architect, brokering access between modeling clients and a backing relational database (typically SQL Server, MySQL, PostgreSQL, or Oracle). The vulnerability is classified as CWE-863 (Incorrect Authorization): the server exposes a database communication channel that accepts SQL statements from clients, but fails to verify whether the authenticated client has the role required to issue those statements. As a result, queries are forwarded to the database under the service's connection identity, which generally holds broad DDL/DML rights across the modeling schema and possibly other databases hosted on the same instance.
RemediationAI
No vendor-released patch identified at time of analysis - Sparx Systems did not respond to CERT-PL's coordinated disclosure with a fix version or vulnerable-range confirmation, so administrators should contact Sparx Systems directly to obtain a remediated build and consult the CERT-PL advisory at https://cert.pl/en/posts/2026/05/CVE-2026-42096 for updates. As compensating controls, restrict network reachability of the Pro Cloud Server listener (default TCP ports for the model server) to trusted modeler workstations via firewall ACLs or VPN segmentation, since exploitation requires authenticated network access; aggressively prune Pro Cloud Server user accounts to remove inactive or low-trust principals; and reduce the privileges of the database service account used by Pro Cloud Server to the minimum required schema (drop CREATE/ALTER/DROP and cross-database SELECT where possible), accepting that some modeling features that mutate schema may break. Additional context is available in the third-party analyses at https://sploit.tech/2026/05/19/Sparx-Enterprise-Architect-PCS.html and https://efigo.pl/blog/CVE-2026-42096/.
More in Pro Cloud Server
View allUnauthenticated SQL execution affects Sparx Pro Cloud Server when attackers omit the 'model' query parameter from the UR
Denial of service in Sparx Systems Pro Cloud Server 6.1 (build 167) and earlier allows authenticated remote attackers to
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30927
GHSA-544c-gfhm-rwqf