Sparx Enterprise Architect / Pro Cloud Server — five-CVE chain (pre-auth SQL injection + WebEA race-condition RCE), public PoC, no vendor patch

CERT Polska coordinated disclosure of five Sparx Systems vulnerabilities on 2026-05-19, each separately filed in ENISA EUVD-2026-30929 through EUVD-2026-30932. Researcher Blazej Adamczyk (br0x) published the full technical write-up with proof-of-concept code; the chained CVSSv4 score on Pro Cloud Server (PCS) ≤6.1 with the optional WebEA component installed is 10.0 Critical.

• CVE-2026-42097 (CWE-639, CVSS4 9.3) — Authentication bypass in PCS via model-parameter omission in a POST binary blob. The URL query parameter model is checked at the auth gate; the model name resent only inside the binary blob bypasses it, enabling unauthenticated arbitrary SQL query execution (read + write) against any configured repository database.
• CVE-2026-42096 (CWE-863) — Authenticated SQL injection in an exposed database API endpoint; any authenticated user can inject arbitrary SQL.
• CVE-2026-42099 (CWE-362, CVSS4 7.7) — Race condition in /data_api/dl_internal_artifact.php. An attacker who can stage a repository file controls both filename and contents written to __DIR__; a slow-client timing attack keeps the PHP file live during transmission so a parallel HTTP request executes it — RCE in the web-server context. Requires the WebEA component.
• CVE-2026-42098 (CWE-603, CVSS4 8.7) — Client-side authentication in Enterprise Architect ≤17.1: RBAC is enforced in the client binary, so any authenticated user who patches the binary can log in as any other user (including administrator) and perform arbitrary repository modifications.
• CVE-2026-42100 (CWE-835) — Malformed SQL crashes the Pro Cloud Server service (DoS).

Sparx Systems was notified in advance but did not respond with version specifics or a remediation timeline; no official patch has been released. Tested vulnerable versions: PCS ≤6.1 build 167 and EA ≤17.1. Public exploit code is published in br0xpl/sparx_hack. CERT-PL emphasises that the vendor "didn't respond with the details of vulnerability or vulnerable version range" (CERT Polska).

Why it matters to us: Sparx Enterprise Architect is one of the dominant tools for IT enterprise-architecture modelling across EU and Swiss federal / cantonal IT units; Pro Cloud Server exposes EA repositories to remote teams over HTTP. Until a patch ships, restrict PCS / WebEA reachability to internal management networks only, disable WebEA if not strictly required, monitor IIS / Apache access logs for /data_api/dl_internal_artifact.php requests with unusual guid parameters and for any _api/data POST that omits the model query parameter, and rotate every database credential reachable from the PCS service account.