Race Condition Vulnerability in Sparx Pro Cloud Server
CVE-2026-42099

7.7HIGH

Key Information:

Vendor

Sparx Systems

Status
Pro Cloud Server
Vendor
CVE Published:
19 May 2026

What is CVE-2026-42099?

Sparx Pro Cloud Server is susceptible to a race condition vulnerability in the /data_api/dl_internal_artifact.php endpoint, which can lead to unauthorized remote code execution. An attacker with repository access can exploit this flaw by controlling the name and contents of a PHP file created during the artifact download process. Although the application is designed to delete the malicious file post-processing, a timing issue may arise if transmission delays occur, allowing the file to remain accessible temporarily. During this window, the attacker can launch a second request to execute the malicious PHP file, compromising server security. Current versions confirmed vulnerable are 6.1 (build 167) and below, while other untested versions might also be at risk.

Affected Version(s)

Pro Cloud Server 0 <= 6.1

References

https://cert.pl/en/posts/2026/05/CVE-2026-42096
third-party-advisory
https://sparxsystems.com/products/procloudserver/
product
https://sploit.tech/2026/05/19/Sparx-Enterprise-Architect...
technical-description

CVSS V4

Score:
7.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Blazej Adamczyk (br0x) - Efigo
.