CVE-2026-42097
Analyzed Analyzed - Analysis Complete
Authentication Bypass in Sparx Pro Cloud Server via SQL Injection

Publication date: 2026-05-19

Last updated on: 2026-06-02

Assigner: CERT.PL

Description
Sparx Pro Cloud Server requires authentication based on requested URL. An attacker can omit the "model" query parameter and send the model name only in the binary blob in POST request allowing SQL query execution without authentication. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.1 (build 167) and below were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-19
Last Modified
2026-06-02
Generated
2026-06-10
AI Q&A
2026-05-19
EPSS Evaluated
2026-06-08
NVD
CVE-2026-42097
EUVD
EUVD-2026-30931
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
sparxsystems pro_cloud_server to 6.1.167 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify how the vulnerability in Sparx Pro Cloud Server affects compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

This vulnerability exists in Sparx Pro Cloud Server where authentication is based on the requested URL. An attacker can exploit this by omitting the "model" query parameter and instead sending the model name only within a binary blob in a POST request. This allows the attacker to execute SQL queries without any authentication.

Only version 6.1 (build 167) and below have been tested and confirmed vulnerable, but other versions might also be affected.

Impact Analysis

This vulnerability can have a severe impact as it allows unauthenticated attackers to execute SQL queries on the server. This can lead to unauthorized data access, data manipulation, or potentially full compromise of the affected system.

Mitigation Strategies

The vendor has not provided details about the vulnerability or the vulnerable version range beyond confirming that version 6.1 (build 167) and below are vulnerable.

Immediate mitigation steps should include:

  • Avoid using Sparx Pro Cloud Server versions 6.1 (build 167) and below, as these are confirmed vulnerable.
  • Monitor for vendor updates or patches addressing this vulnerability.
  • Restrict access to the Pro Cloud Server to trusted networks or users to reduce exposure.
  • Implement network-level protections such as firewalls or intrusion detection systems to detect or block suspicious POST requests lacking the "model" query parameter.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42097. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart