Description
Sparx Pro Cloud Server is vulnerable to Broken Access Control within communication with the database. Due to lack of permission checks, any low privileged user can run arbitrary SQL queries within database user context.

The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.1 (build 167) and below were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
Published: 2026-05-19
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Sparx Pro Cloud Server permits low‑privileged users to execute arbitrary SQL queries due to missing access‑control checks on database communication. An attacker can read sensitive data, alter records, or delete information, thereby compromising confidentiality and integrity. The weakness maps to CWE‑863 and carries a CVSS score of 8.7, indicating a high‑severity vulnerability that can be used to undermine the application’s data store.

Affected Systems

Sparx Systems Pro Cloud Server. Versions 6.1 (build 167) and earlier were tested and confirmed vulnerable; later releases have not been evaluated and may also be affected.

Risk and Exploitability

The CVSS score of 8.7 signifies a large impact window. No EPSS score is available, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector involves standard communication channels of the application, such as HTTP/HTTPS or any other client‑server interface that transmits SQL statements to the database. An attacker with low privileges can exploit the missing permission checks to execute any SQL command in the database user context.

Generated by OpenCVE AI on May 19, 2026 at 15:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Contact Sparx Systems to obtain a confirmed patch or vulnerability scope update.
  • Upgrade to the vendor’s supported version once a fix is released.
  • Restrict database permissions for low‑privileged users to read‑only or disable direct SQL execution through ORM or stored procedures.
  • Monitor database logs for abnormal query patterns that may indicate exploitation.

Generated by OpenCVE AI on May 19, 2026 at 15:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 19 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description Sparx Pro Cloud Server is vulnerable to Broken Access Control within communication with the database. Due to lack of permission checks, any low privileged user can run arbitrary SQL queries within database user context. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.1 (build 167) and below were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
Title Broken Access Control in Sparx Pro Cloud Server
Weaknesses CWE-863
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-05-19T14:25:54.493Z

Reserved: 2026-04-24T12:15:00.857Z

Link: CVE-2026-42096

cve-icon Vulnrichment

Updated: 2026-05-19T14:25:51.570Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-19T14:16:42.047

Modified: 2026-05-19T14:45:59.807

Link: CVE-2026-42096

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T15:15:08Z

Weaknesses