CVE-2026-42099 Overview
CVE-2026-42099 is a race condition vulnerability in Sparx Systems Pro Cloud Server affecting the /data_api/dl_internal_artifact.php endpoint. The endpoint downloads object properties referenced by a guid parameter and saves the loaded content into the current directory (__DIR__) using an attacker-controlled filename. Although the server deletes the file after processing, the file remains accessible during response transmission. An authenticated attacker with repository access can exploit this timing window to plant and execute a malicious PHP file, achieving remote code execution on the host. Version 6.1 (build 167) and earlier are confirmed vulnerable; other versions were not tested but may also be affected.
Critical Impact
Authenticated attackers with repository access can achieve remote code execution by winning a race against the server's post-processing file deletion.
Affected Products
- Sparx Systems Pro Cloud Server version 6.1 (build 167) and earlier
- Untested earlier versions of Pro Cloud Server may also be vulnerable
- Deployments exposing the /data_api/dl_internal_artifact.php endpoint
Discovery Timeline
- 2026-05-19 - CVE-2026-42099 published to NVD
- 2026-05-19 - Last updated in NVD database
Technical Details for CVE-2026-42099
Vulnerability Analysis
The flaw is a classic Time-of-Check Time-of-Use (TOCTOU) race condition categorized under [CWE-362]. The dl_internal_artifact.php handler fetches object properties identified by a guid parameter and writes the returned content to disk inside __DIR__, the script's current directory. Both the destination filename and the file contents are derived from attacker-controllable repository data. The PHP file therefore lands inside the web-served directory tree, where the runtime will execute it if requested. The server attempts to clean up by deleting the staged file after the HTTP response completes. Slowing the response transmission, for example by requesting a large artifact or throttling the client connection, extends the lifetime of the planted file. A second, parallel HTTP request to the dropped PHP filename hits the file before deletion and triggers code execution under the web server account.
Root Cause
The root cause is unsafe staging of untrusted data inside an executable web directory combined with non-atomic cleanup. The application trusts repository-supplied filenames, writes them to __DIR__, and relies on sequential cleanup that overlaps with the request lifecycle.
Attack Vector
Exploitation requires network access and valid repository credentials. The attacker first plants a malicious artifact in the repository, then calls dl_internal_artifact.php with the corresponding guid to drop the PHP payload. While the slow download keeps the file on disk, a parallel HTTP request to the planted filename executes the payload.
No verified proof-of-concept code is publicly available.
Refer to the Efigo and Sploit.tech write-ups linked in the references for
technical details on the exploitation sequence.
Detection Methods for CVE-2026-42099
Indicators of Compromise
- Unexpected .php files appearing transiently inside the Pro Cloud Server data_api directory
- Web server access logs showing requests to /data_api/dl_internal_artifact.php immediately followed by GETs for newly named .php files in the same path
- Long-duration responses on dl_internal_artifact.php correlated with concurrent requests from the same client identity
Detection Strategies
- Monitor file system events on the Pro Cloud Server installation directory for creation of .php files outside the vendor-distributed set.
- Alert on HTTP requests to PHP filenames in /data_api/ that do not match the known application file inventory.
- Correlate slow dl_internal_artifact.php responses with parallel requests originating from the same authenticated session.
Monitoring Recommendations
- Enable verbose web server access logging and ship logs to a centralized analytics platform for retention and correlation.
- Track repository artifact uploads that contain PHP shell signatures or suspicious filenames with executable extensions.
- Baseline the contents of the data_api directory and alert on any deviation.
How to Mitigate CVE-2026-42099
Immediate Actions Required
- Restrict network access to the Pro Cloud Server management and data_api endpoints to trusted administrative networks only.
- Audit repository user accounts and remove unnecessary write or artifact-upload privileges.
- Review web server and application logs for the indicators listed above and investigate any matches.
Patch Information
The vendor did not respond with details of a fixed version or affected version range as of publication. Operators should contact Sparx Systems for upgrade guidance and monitor the Sparx Systems Pro Cloud Server product page for security updates. Additional technical context is available in the Efigo Blog analysis and the Sploit.tech write-up.
Workarounds
- Block external access to /data_api/dl_internal_artifact.php at a reverse proxy or web application firewall until a vendor patch is available.
- Configure the web server to refuse execution of PHP files inside the artifact-handling directory, for example by restricting PHP handler scope to known application scripts.
- Enforce strict authentication and IP allow-listing on the Pro Cloud Server to limit who can trigger the vulnerable endpoint.
# Example nginx hardening: deny external access to the vulnerable endpoint
location = /data_api/dl_internal_artifact.php {
allow 10.0.0.0/8;
deny all;
}
# Restrict PHP execution in the data_api directory to a known file allowlist
location ~ ^/data_api/(?!known_script1\.php|known_script2\.php).*\.php$ {
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
