PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-42096 Sparx Systems CVE debrief

CVE-2026-42096 is a broken access control issue in Sparx Pro Cloud Server. The advisory says a low-privileged user can run arbitrary SQL queries in the database user context because permission checks are missing in the application-to-database path. The source notes that version 6.1 (build 167) and below were tested and confirmed vulnerable, while later versions were not tested and the vendor did not provide a vulnerable version range.

Vendor
Sparx Systems
Product
Pro Cloud Server
CVSS
HIGH 8.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-19
Original CVE updated
2026-05-19
Advisory published
2026-05-19
Advisory updated
2026-05-19

Who should care

Administrators and security teams running Sparx Pro Cloud Server, especially environments where low-privileged users can reach database-backed functions or administrative workflows. Database administrators should also care because the impact occurs within the database user context.

Technical summary

The reported flaw is a broken access control weakness (CWE-863) affecting communication with the database. According to the source, insufficient authorization checks allow a low-privileged user to submit arbitrary SQL queries that execute with the database user's privileges. The NVD record lists CVSS v4.0 8.7 HIGH with network attack vector, low attack complexity, no user interaction, and low privileges required.

Defensive priority

High. The issue can directly expose database integrity and confidentiality through unauthorized SQL execution, and the source does not limit the affected range beyond tested versions.

Recommended defensive actions

  • Review whether Sparx Pro Cloud Server is deployed in your environment and identify the installed version/build.
  • If you run version 6.1 (build 167) or earlier, treat the system as vulnerable until proven otherwise.
  • Restrict access to the product and any exposed database-adjacent interfaces to trusted users and networks.
  • Monitor application and database logs for unexpected SQL activity from low-privileged accounts.
  • Apply vendor guidance or updates as soon as they are available, and validate that permission checks are enforced after patching.

Evidence notes

Supported facts come from the supplied NVD record and its referenced advisory links. The advisory states that low-privileged users can run arbitrary SQL queries due to missing permission checks, and that version 6.1 (build 167) and below were tested and confirmed vulnerable. The vendor reportedly did not provide a confirmed vulnerable version range, so broader exposure remains unverified. The NVD entry is marked 'Awaiting Analysis' at the time of the supplied record.

Official resources

Publicly disclosed on 2026-05-19. The source says the vendor was notified early, but did not provide a vulnerable version range. The CVE record was published and last modified on 2026-05-19.