CVE-2026-42099
Analyzed Analyzed - Analysis Complete
Race Condition in Sparx Pro Cloud Server Leads to RCE

Publication date: 2026-05-19

Last updated on: 2026-06-02

Assigner: CERT.PL

Description
Sparx Pro Cloud Server is vulnerable to a Race Condition in the /data_api/dl_internal_artifact.php endpoint. The application downloads the properties of the object pointed by guid parameter and saves loaded content in current location (__DIR__) under the specified name. An attacker with repository access can control both the filename and file contents, allowing the creation of a malicious PHP file in a current directory. Although the file is deleted after processing, a race condition exists: if the response transmission is delayed (e.g., via a large file or slow client connection), the file remains accessible. During this window, the attacker can issue a second request to execute the malicious PHP file, resulting in remote code execution. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.1 (build 167) and below were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-19
Last Modified
2026-06-02
Generated
2026-06-10
AI Q&A
2026-05-19
EPSS Evaluated
2026-06-08
NVD
CVE-2026-42099
EUVD
EUVD-2026-30929
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
sparxsystems pro_cloud_server to 6.1.167 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-362 The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in Sparx Pro Cloud Server is a race condition in the /data_api/dl_internal_artifact.php endpoint. The application downloads an object based on a guid parameter and saves its content as a file in the current directory. An attacker with repository access can control both the filename and the file contents, allowing them to create a malicious PHP file in that directory.

Although the malicious file is deleted after processing, if the response transmission is delayed (for example, due to a large file or slow client connection), the file remains accessible temporarily. During this window, the attacker can send a second request to execute the malicious PHP file, leading to remote code execution on the server.

Impact Analysis

This vulnerability can allow an attacker with repository access to execute arbitrary code remotely on the affected server. This means the attacker could potentially take control of the server, access sensitive data, modify or delete files, disrupt services, or use the server as a foothold to attack other systems.

Mitigation Strategies

The vulnerability affects Sparx Pro Cloud Server version 6.1 (build 167) and below. Immediate mitigation steps include restricting repository access to trusted users only, as an attacker needs repository access to exploit the vulnerability.

Additionally, monitoring and limiting slow client connections or large file downloads to reduce the window of the race condition may help mitigate exploitation.

Since the vendor has not provided patches or detailed version information, consider upgrading to a version above 6.1 if available and confirmed safe, or applying network-level protections to limit access to the vulnerable endpoint.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42099. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart