CVE-2026-42099

Vulnerability

The /data_api/dl_internal_artifact.php endpoint in Sparx Pro Cloud Server (all versions through 6.1 build 167, and possibly later) suffers from a race condition. The endpoint downloads properties of an object specified by the guid parameter and saves the loaded content in the current directory (__DIR__) under a user-controlled filename. An attacker with repository access can control both the filename and the file contents, enabling the creation of a malicious PHP file. Although the file is deleted after processing, a race condition exists: if the response transmission is delayed (e.g., via a large file or slow client connection), the file remains accessible on disk for a window of time [1][2].

Exploitation

An attacker must have repository access to the Sparx Pro Cloud Server. The attacker sends a crafted request to the vulnerable endpoint, specifying a malicious PHP payload as the file content and a .php extension as the filename. By deliberately slowing the client connection or requesting a large file, the attacker delays the HTTP response, preventing the server from deleting the temporary file. During this window, the attacker issues a second request to the newly created PHP file, which executes the malicious code [2].

Impact

Successful exploitation allows the attacker to execute arbitrary PHP code on the server, leading to full remote code execution (RCE). This compromises the confidentiality, integrity, and availability of the server and any connected data [1][2].

Mitigation

The vendor was notified but did not provide details on vulnerable version ranges or a fix. Only version 6.1 (build 167) and below were tested and confirmed vulnerable; other versions may also be affected. As of the publication date (2026-05-19), no official patch or workaround has been released. Users should monitor vendor communications for updates and consider restricting network access to the vulnerable endpoint [1].