CVE-2026-42096
published 2026-05-19CVE-2026-42096: Sparx Pro Cloud Server is vulnerable to Broken Access Control within communication with the database. Due to lack of permission checks, any low privileged user…
PriorityP261high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.60%
44.2th percentile
Sparx Pro Cloud Server is vulnerable to Broken Access Control within communication with the database. Due to lack of permission checks, any low privileged user can run arbitrary SQL queries within database user context.
The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.1 (build 167) and below were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sparx_systems | pro_cloud_server | <= 6.1 | — |
| sparxsystems | pro_cloud_server | <= 6.1.167 | — |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Sparx Systems Pro Cloud Server up to 6.1 authorization
vuldb·2026-05-19·CVSS 8.7
CVE-2026-42096 [HIGH] Sparx Systems Pro Cloud Server up to 6.1 authorization
A vulnerability was found in Sparx Systems Pro Cloud Server up to 6.1. It has been rated as critical. Affected by this issue is some unknown functionality. This manipulation causes incorrect authorization.
This vulnerability is handled as CVE-2026-42096. The attack can be initiated remotely. There is not any exploit available.
GHSA
GHSA-544c-gfhm-rwqf: Sparx Pro Cloud Server is vulnerable to Broken Access Control within communication with the database
ghsa_unreviewed·2026-05-19
CVE-2026-42096 [HIGH] CWE-863 GHSA-544c-gfhm-rwqf: Sparx Pro Cloud Server is vulnerable to Broken Access Control within communication with the database
Sparx Pro Cloud Server is vulnerable to Broken Access Control within communication with the database. Due to lack of permission checks, any low privileged user can run arbitrary SQL queries within database user context.
The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.1 (build 167) and below were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-19
Published