Description
Sparx Pro Cloud Server requires authentication based on requested URL. An attacker can omit the "model" query parameter and send the model name only in the binary blob in POST request allowing SQL query execution without authentication.

The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.1 (build 167) and below were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
Published: 2026-05-19
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Sparx Pro Cloud Server evaluates authentication solely based on the requested URL, ignoring input in binary POST payloads. By omitting the mandatory "model" query parameter and instead sending only the model name in the binary body of a POST request, an attacker can cause the server to construct and execute arbitrary SQL statements. The lack of authentication verification permits the attacker to read, modify, or delete database contents, thereby compromising data integrity and availability.

Affected Systems

This vulnerability impacts Sparx Systems Pro Cloud Server, specifically version 6.1 build 167 and all earlier builds. Subsequent versions have not yet been tested for this issue, though they may also be susceptible.

Risk and Exploitability

The CVSS score of 9.3 classifies this flaw as critical. Although the EPSS score is not available, the lack of a vendor patch combined with the ability to execute arbitrary SQL commands without authentication keeps the risk extremely high. The vulnerability is not yet listed in the CISA KEV catalog, yet the absence of a vendor response raises the likelihood that exploitation attempts may already be underway.

Generated by OpenCVE AI on May 19, 2026 at 15:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any vendor‑supplied patch or update as soon as it becomes available
  • Restrict network access to the Pro Cloud Server to trusted IP addresses or VPN connections to limit exposure
  • If custom development is possible, modify the request handler to enforce presence of the "model" parameter before processing any POST data

Generated by OpenCVE AI on May 19, 2026 at 15:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 19 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description Sparx Pro Cloud Server requires authentication based on requested URL. An attacker can omit the "model" query parameter and send the model name only in the binary blob in POST request allowing SQL query execution without authentication. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.1 (build 167) and below were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
Title Authentication Bypass in Sparx Pro Cloud Server
Weaknesses CWE-639
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-05-19T15:28:13.174Z

Reserved: 2026-04-24T12:15:00.858Z

Link: CVE-2026-42097

cve-icon Vulnrichment

Updated: 2026-05-19T15:28:08.669Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-19T14:16:42.247

Modified: 2026-05-19T14:45:59.807

Link: CVE-2026-42097

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T15:15:08Z

Weaknesses