Improper access control in Sparx Pro Cloud Server - CVE-2026-42096
Published: May 27, 2026
Vulnerability identifier: #VU132369
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber
CVE-ID: CVE-2026-42096
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vendor: Sparx Systems
Affected software:
Sparx Pro Cloud Server
Sparx Pro Cloud Server
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary SQL queries.
The vulnerability exists due to improper access control in the SparxCloudLink.sseap SQL query handling when processing crafted encrypted SQL requests. A remote attacker can obtain the embedded symmetric key from the client and send custom SQL queries to execute arbitrary SQL queries.
The issue affects database operations permitted by the configured external database user.
How to mitigate CVE-2026-42096
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.