VYPR
← All advisories
High severityNVD Advisory· Published May 19, 2026· Updated May 19, 2026

CVE-2026-42096

CVE-2026-42096

Description

Sparx Pro Cloud Server is vulnerable to Broken Access Control within communication with the database. Due to lack of permission checks, any low privileged user can run arbitrary SQL queries within database user context.

The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.1 (build 167) and below were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Low-privilege users can execute arbitrary SQL queries on Sparx Pro Cloud Server due to missing permission checks, leading to full database compromise.

Vulnerability

Sparx Pro Cloud Server versions through 6.1 (build 167) lack proper authorization checks for database communication, allowing any low-privileged user to execute arbitrary SQL queries within the database user context. This is classified as CWE-863 (Incorrect Authorization) [1].

Exploitation

An attacker with a low-privileged account on the Pro Cloud Server can send crafted SQL queries directly to the database. No additional authentication or special privileges are required beyond the initial low-privilege access [2].

Impact

Successful exploitation grants the attacker full read and write access to the underlying database, enabling data theft, modification, or deletion. This compromises the confidentiality, integrity, and availability of all data managed by the server [1][2].

Mitigation

As of the publication date, no official fix has been released. The vendor was notified but did not provide details or a patch schedule. Only version 6.1 (build 167) and below are confirmed vulnerable; other versions may also be affected [1].

References
  1. Vulnerabilities in Sparx Systems products
  2. Multiple vulnerabilities in Sparx Pro Cloud Server and Enterprise Architect

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.