CVE-2026-42097
Awaiting Analysis Awaiting Analysis - Queue
Authentication Bypass in Sparx Pro Cloud Server via SQL Injection

Publication date: 2026-05-19

Last updated on: 2026-05-19

Assigner: CERT.PL

Description
Sparx Pro Cloud Server requires authentication based on requested URL. An attacker can omit the "model" query parameter and send the model name only in the binary blob in POST request allowing SQL query execution without authentication. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.1 (build 167) and below were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-19
Last Modified
2026-05-19
Generated
2026-05-20
AI Q&A
2026-05-19
EPSS Evaluated
N/A
NVD
CVE-2026-42097
EUVD
EUVD-2026-30931
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
sparxsystems pro_cloud_server to 6.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in Sparx Pro Cloud Server where authentication is based on the requested URL. An attacker can exploit this by omitting the "model" query parameter and instead sending the model name only within a binary blob in a POST request. This allows the attacker to execute SQL queries without any authentication.

Only version 6.1 (build 167) and below have been tested and confirmed vulnerable, but other versions might also be affected.


How can this vulnerability impact me? :

This vulnerability can have a severe impact as it allows unauthenticated attackers to execute SQL queries on the server. This can lead to unauthorized data access, data manipulation, or potentially full compromise of the affected system.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The provided information does not specify how the vulnerability in Sparx Pro Cloud Server affects compliance with common standards and regulations such as GDPR or HIPAA.


What immediate steps should I take to mitigate this vulnerability?

The vendor has not provided details about the vulnerability or the vulnerable version range beyond confirming that version 6.1 (build 167) and below are vulnerable.

Immediate mitigation steps should include:

  • Avoid using Sparx Pro Cloud Server versions 6.1 (build 167) and below, as these are confirmed vulnerable.
  • Monitor for vendor updates or patches addressing this vulnerability.
  • Restrict access to the Pro Cloud Server to trusted networks or users to reduce exposure.
  • Implement network-level protections such as firewalls or intrusion detection systems to detect or block suspicious POST requests lacking the "model" query parameter.

Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart