Andere informatie en diensten van de overheid: www.belgium.be Centre for Cybersecurity Belgium

Warning: Actively exploited critical and multiple high vulnerabilities in Sparx Pro Cloud Server and Enterprise Architect, Patch Immediately!

Image
Decorative image
Gepubliceerd : 21/05/2026
  • Last update: 21/05/2026
  • Affected software:
    Sparx Systems Pro Cloud Server all versions up to 6.1 (build 167)
    Sparx Systems Enterprise Architect all versions up to 17.1
  • Type:
    CWE-863: Incorrect Authorization
    CWE-639: Authorization Bypass Through User-Controlled Key
    CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
    CWE-228: Improper Handling of Syntactically Invalid Structure
    CWE-603: Use of Client-Side Authentication
  • CVE/CVSS
    CVE-2026-42096: CVSS 8.7 (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N)
    CVE-2026-42097: CVSS 9.3 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N)
    CVE-2026-42098: CVSS 8.7 (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N)
    CVE-2026-42099: CVSS 7.7 (CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L)
    CVE-2026-42100: CVSS 7.1 (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N)

Sources

https://github.com/advisories/GHSA-544c-gfhm-rwqf
https://github.com/advisories/GHSA-hf6p-xc3f-p4f9
https://github.com/advisories/GHSA-qff4-m3j5-xcv5
https://github.com/advisories/GHSA-r2pf-hp27-79jw
https://github.com/advisories/GHSA-j7p7-w7pr-mwpc

Risks

Sparx Systems Enterprise Architect is a visual modeling platform supporting industry standards (UML, BPMN, SysML, ArchiMate) and enterprise architecture frameworks (TOGAF, Zachman) for the full development lifecycle.

Sparx Systems Pro Cloud Server is a server-side extension for secure, centralized hosting of Enterprise Architect repositories over HTTPS that offers web-based model access, and REST API integration with enterprise toolchains.

On the 19th of May 2026, 5 vulnerabilities were publicly disclosed online: 1 critical (CVE-2026-42097) and 3 high (CVE-2026-42096, CVE-2026-42099, CVE-2026-42100) affecting Sparx Systems Pro Cloud Server and 1 high (CVE-2026-42098) affecting Sparx Systems Enterprise Architect.

There is a publicly available Proof-of-Concept (PoC) for all five vulnerabilities. There is no proof of exploitation as of the writing of this advisory, as of 2026-05-20, but since a PoC is available, it is highly likely that those vulnerabilities will be exploited.

Exploiting CVE-2026-42098 or CVE-2026-42099 can have a high impact on all aspects of the CIA triad (Confidentiality, Integrity, Availability) of the affected system.

Exploiting CVE-2026-42096 or CVE-2026-42097 can have a high impact on the Confidentiality and the Integrity of the system and low impact on the Availability of the system.

Exploiting CVE-2026-42100 can have a high impact on the Availability of the system but no impact on its Confidentiality or its Integrity.

Description

CVE-2026-42096 is a high criticality Broken Access Control vulnerability in the database communication of the Sparx Pro Cloud Server, which can be exploited by remote attackers with low privilege roles and without any user interaction to run arbitrary code (SQL queries) in the database user context. That can get them read/write/delete access to database data without proper authorization.

CVE-2026-42097 is a critical Authorization Bypass vulnerability in Sparx Pro Cloud Server, which can be exploited by remote attackers without privileges or user interaction to execute arbitrary SQL queries without authentication. They can achieve that by including the model name in the POST request binary blob.

CVE-2026-42098 is a high criticality Use of Client-Side Authentication vulnerability in the role-based access control (RBAC) of the Sparx Enterprise Architect, which can be exploited by remote attackers with low privileges and without any user interaction, to bypass authentication and impersonate any user or administrator. That way, the attacker can complete any changes without authorization to data/configurations.

CVE-2026-42099 is a high criticality Race Condition vulnerability in the Sparx Pro Cloud Server, that can be exploited by remote attackers with low privileges, without any user interaction, and with access to the repository to execute random arbitrary PHP code on the server. They can achieve that by creating a custom, malicious PHP file, which can remain available even after its deletion, because of delayed transmission response, and then issue a request to execute that file.

CVE-2026-42100 is a high criticality Improper handling of syntactically invalid structure vulnerability in Sparx Pro Cloud Server, that can be exploited by remote attackers with low privileges and without any user interaction, to cause Denial of Service on the server. They can achieve that by crafting custom, malicious, SQL queries to force the server to crash unexpectedly.

Recommended Actions

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

References

https://nvd.nist.gov/vuln/detail/CVE-2026-42096
https://nvd.nist.gov/vuln/detail/CVE-2026-42097
https://nvd.nist.gov/vuln/detail/CVE-2026-42098
https://nvd.nist.gov/vuln/detail/CVE-2026-42099
https://nvd.nist.gov/vuln/detail/CVE-2026-42100
https://sploit.tech/2026/05/19/Sparx-Enterprise-Architect-PCS.html
https://cert.pl/en/posts/2026/05/CVE-2026-42096