Description

CERT Polska has received a report about vulnerabilities in Sparx Systems software and participated in coordination of their disclosure.

The vulnerability CVE-2026-42096: Sparx Pro Cloud Server is vulnerable to Broken Access Control within communication with the database. Due to lack of permission checks, any low privileged user can run arbitrary SQL queries within database user context.

The vulnerability CVE-2026-42097: Sparx Pro Cloud Server requires authentication based on requested URL. An attacker can omit the "model" query parameter and send the model name only in the binary blob in POST request allowing SQL query execution without authentication.

The vulnerability CVE-2026-42098: Sparx Enterprise Architect software has a security feature that limits user's actions to those specified in the role. An authenticated attacker can modify the Enterprise Architect client behavior (e.g. using a debugger) and log in as any other user or administrator - then it is possible to do every possible change to the repository.

The vulnerability CVE-2026-42099: Sparx Pro Cloud Server is vulnerable to a Race Condition in the /data_api/dl_internal_artifact.php endpoint. The application downloads the properties of the object pointed by guid parameter and saves loaded content in current location (DIR) under the specified name. An attacker with repository access can control both the filename and file contents, allowing the creation of a malicious PHP file in a current directory. Although the file is deleted after processing, a race condition exists: if the response transmission is delayed (e.g., via a large file or slow client connection), the file remains accessible. During this window, the attacker can issue a second request to execute the malicious PHP file, resulting in remote code execution.

The vulnerability CVE-2026-42100: Improper Handling of Syntactically Invalid Structure in Sparx Pro Cloud Server allows Denial of Service (DoS) attack to be executed by sending an specially crafted SQL query. This causes the Pro Cloud Server service to terminate unexpectedly.

The vendor was notified early about these vulnerabilities, but didn't respond with the details of vulnerability or vulnerable version range. Only Pro Cloud Server version 6.1 (build 167) and below and Enterprise Architect version 17.1 and below were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.

Credits

We thank Blazej Adamczyk (br0x) from Efigo for the responsible vulnerability report.