Broken Access Control in Sparx Pro Cloud Server by Sparx Systems
CVE-2026-42096

8.7HIGH

Key Information:

Vendor

Sparx Systems

Status
Pro Cloud Server
Vendor
CVE Published:
19 May 2026

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC

What is CVE-2026-42096?

Sparx Pro Cloud Server is exposed to Broken Access Control vulnerabilities, allowing low privileged users to execute arbitrary SQL queries against the database due to insufficient permission checks. This security flaw could potentially lead to data exposure or manipulation. Although version 6.1 (build 167) and earlier have been confirmed vulnerable, further testing is required to determine if other versions are affected. The vendor has been alerted about the issue but has not disclosed any specific details regarding the vulnerable versions.

Affected Version(s)

Pro Cloud Server 0 <= 6.1

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

sparx_hack
Created by br0xpl

References

https://cert.pl/en/posts/2026/05/CVE-2026-42096
third-party-advisory
https://sparxsystems.com/products/procloudserver/
product
https://sploit.tech/2026/05/19/Sparx-Enterprise-Architect...
technical-description

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Blazej Adamczyk (br0x) - Efigo
.