ctipilot.ch

Sparx Pro Cloud Server — authenticated SQL injection via database API endpoint; PCS ≤ 6.1

cve · CVE-2026-42096

Coverage timeline
1
first 2026-05-20 → last 2026-05-20
Briefs
1
1 distinct
Sources cited
8
8 hosts
Sections touched
0
Co-occurring entities
5
see Related entities below

Story timeline

  1. 2026-05-20CTI Daily Brief — 2026-05-20

Source distribution

  • cert.pl1 (12%)
  • euvd.enisa.europa.eu1 (12%)
  • sploit.tech1 (12%)
  • drupal.org1 (12%)
  • github.com1 (12%)
  • microsoft.com1 (12%)
  • msrc.microsoft.com1 (12%)
  • stepsecurity.io1 (12%)

Related entities

External references

NVD · cve.org · CISA KEV

All cited sources (8)

Items in briefs about Sparx Pro Cloud Server — authenticated SQL injection via database API endpoint; PCS ≤ 6.1 (1)

Sparx Enterprise Architect / Pro Cloud Server — five-CVE chain (pre-auth SQL injection + WebEA race-condition RCE), public PoC, no vendor patch

From CTI Daily Brief — 2026-05-20 · published 2026-05-20 · view item permalink →

CERT Polska coordinated disclosure of five Sparx Systems vulnerabilities on 2026-05-19, each separately filed in ENISA EUVD-2026-30929 through EUVD-2026-30932. Researcher Blazej Adamczyk (br0x) published the full technical write-up with proof-of-concept code; the chained CVSSv4 score on Pro Cloud Server (PCS) ≤6.1 with the optional WebEA component installed is 10.0 Critical.

  • CVE-2026-42097 (CWE-639, CVSS4 9.3) — Authentication bypass in PCS via model-parameter omission in a POST binary blob. The URL query parameter model is checked at the auth gate; the model name resent only inside the binary blob bypasses it, enabling unauthenticated arbitrary SQL query execution (read + write) against any configured repository database.
  • CVE-2026-42096 (CWE-863) — Authenticated SQL injection in an exposed database API endpoint; any authenticated user can inject arbitrary SQL.
  • CVE-2026-42099 (CWE-362, CVSS4 7.7) — Race condition in /data_api/dl_internal_artifact.php. An attacker who can stage a repository file controls both filename and contents written to __DIR__; a slow-client timing attack keeps the PHP file live during transmission so a parallel HTTP request executes it — RCE in the web-server context. Requires the WebEA component.
  • CVE-2026-42098 (CWE-603, CVSS4 8.7) — Client-side authentication in Enterprise Architect ≤17.1: RBAC is enforced in the client binary, so any authenticated user who patches the binary can log in as any other user (including administrator) and perform arbitrary repository modifications.
  • CVE-2026-42100 (CWE-835) — Malformed SQL crashes the Pro Cloud Server service (DoS).

Sparx Systems was notified in advance but did not respond with version specifics or a remediation timeline; no official patch has been released. Tested vulnerable versions: PCS ≤6.1 build 167 and EA ≤17.1. Public exploit code is published in br0xpl/sparx_hack. CERT-PL emphasises that the vendor "didn't respond with the details of vulnerability or vulnerable version range" (CERT Polska).

Why it matters to us: Sparx Enterprise Architect is one of the dominant tools for IT enterprise-architecture modelling across EU and Swiss federal / cantonal IT units; Pro Cloud Server exposes EA repositories to remote teams over HTTP. Until a patch ships, restrict PCS / WebEA reachability to internal management networks only, disable WebEA if not strictly required, monitor IIS / Apache access logs for /data_api/dl_internal_artifact.php requests with unusual guid parameters and for any _api/data POST that omits the model query parameter, and rotate every database credential reachable from the PCS service account.