Description
Sparx Pro Cloud Server requires authentication based on requested URL. An attacker can omit the "model" query parameter and send the model name only in the binary blob in POST request allowing SQL query execution without authentication.

The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.1 (build 167) and below were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
Published: 2026-05-19
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Sparx Pro Cloud Server evaluates authentication solely based on the requested URL, ignoring input in binary POST payloads. By omitting the mandatory "model" query parameter and instead sending only the model name in the binary body of a POST request, an attacker can cause the server to construct and execute arbitrary SQL statements. The lack of authentication verification permits the attacker to read, modify, or delete database contents, thereby compromising data integrity and availability.

Affected Systems

This vulnerability impacts Sparx Systems Pro Cloud Server, specifically version 6.1 build 167 and all earlier builds. Subsequent versions have not yet been tested for this issue, though they may also be susceptible.

Risk and Exploitability

The CVSS score of 9.3 classifies this flaw as critical. Although the EPSS score is not available, the lack of a vendor patch combined with the ability to execute arbitrary SQL commands without authentication keeps the risk extremely high. The vulnerability is not yet listed in the CISA KEV catalog, yet the absence of a vendor response raises the likelihood that exploitation attempts may already be underway.

Generated by OpenCVE AI on May 19, 2026 at 15:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any vendor‑supplied patch or update as soon as it becomes available
  • Restrict network access to the Pro Cloud Server to trusted IP addresses or VPN connections to limit exposure
  • If custom development is possible, modify the request handler to enforce presence of the "model" parameter before processing any POST data

Generated by OpenCVE AI on May 19, 2026 at 15:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Sparxsystems pro Cloud Server
CPEs cpe:2.3:a:sparxsystems:pro_cloud_server:*:*:*:*:*:*:*:*
Vendors & Products Sparxsystems pro Cloud Server
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 20 May 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Sparxsystems
Sparxsystems sparx Pro Cloud Server
Vendors & Products Sparxsystems
Sparxsystems sparx Pro Cloud Server

Tue, 19 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 19 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description Sparx Pro Cloud Server requires authentication based on requested URL. An attacker can omit the "model" query parameter and send the model name only in the binary blob in POST request allowing SQL query execution without authentication. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.1 (build 167) and below were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
Title Authentication Bypass in Sparx Pro Cloud Server
Weaknesses CWE-639
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Sparxsystems Pro Cloud Server Sparx Pro Cloud Server
cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-05-19T15:28:13.174Z

Reserved: 2026-04-24T12:15:00.858Z

Link: CVE-2026-42097

cve-icon Vulnrichment

Updated: 2026-05-19T15:28:08.669Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-19T14:16:42.247

Modified: 2026-06-02T14:22:20.267

Link: CVE-2026-42097

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T10:30:25Z

Weaknesses