Skip to main content

Sparx Pro Cloud Server CVE-2026-42096

| EUVDEUVD-2026-30927 HIGH
Incorrect Authorization (CWE-863)
2026-05-19 CERT-PL GHSA-544c-gfhm-rwqf
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
May 19, 2026 - 14:30 vuln.today

DescriptionCVE.org

Sparx Pro Cloud Server is vulnerable to Broken Access Control within communication with the database. Due to lack of permission checks, any low privileged user can run arbitrary SQL queries within database user context.

The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.1 (build 167) and below were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.

AnalysisAI

Broken access control in Sparx Systems Pro Cloud Server 6.1 (build 167) and earlier allows authenticated low-privileged users to execute arbitrary SQL queries against the backend database with the database user's privileges. The flaw stems from missing permission checks in the database communication layer, effectively granting any logged-in user the ability to read or modify any data the service account can access. No public exploit identified at time of analysis, but technical write-ups have been published by CERT-PL and independent researchers.

Technical ContextAI

Sparx Pro Cloud Server is the multi-user collaboration backend for Sparx Enterprise Architect, brokering access between modeling clients and a backing relational database (typically SQL Server, MySQL, PostgreSQL, or Oracle). The vulnerability is classified as CWE-863 (Incorrect Authorization): the server exposes a database communication channel that accepts SQL statements from clients, but fails to verify whether the authenticated client has the role required to issue those statements. As a result, queries are forwarded to the database under the service's connection identity, which generally holds broad DDL/DML rights across the modeling schema and possibly other databases hosted on the same instance.

RemediationAI

No vendor-released patch identified at time of analysis - Sparx Systems did not respond to CERT-PL's coordinated disclosure with a fix version or vulnerable-range confirmation, so administrators should contact Sparx Systems directly to obtain a remediated build and consult the CERT-PL advisory at https://cert.pl/en/posts/2026/05/CVE-2026-42096 for updates. As compensating controls, restrict network reachability of the Pro Cloud Server listener (default TCP ports for the model server) to trusted modeler workstations via firewall ACLs or VPN segmentation, since exploitation requires authenticated network access; aggressively prune Pro Cloud Server user accounts to remove inactive or low-trust principals; and reduce the privileges of the database service account used by Pro Cloud Server to the minimum required schema (drop CREATE/ALTER/DROP and cross-database SELECT where possible), accepting that some modeling features that mutate schema may break. Additional context is available in the third-party analyses at https://sploit.tech/2026/05/19/Sparx-Enterprise-Architect-PCS.html and https://efigo.pl/blog/CVE-2026-42096/.

Share

CVE-2026-42096 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy