Skip to main content

Sparx Pro Cloud Server CVE-2026-42097

| EUVDEUVD-2026-30931 CRITICAL
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-05-19 CERT-PL GHSA-hf6p-xc3f-p4f9
9.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
May 19, 2026 - 14:30 vuln.today

DescriptionCVE.org

Sparx Pro Cloud Server requires authentication based on requested URL. An attacker can omit the "model" query parameter and send the model name only in the binary blob in POST request allowing SQL query execution without authentication.

The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.1 (build 167) and below were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.

AnalysisAI

Unauthenticated SQL execution affects Sparx Pro Cloud Server when attackers omit the 'model' query parameter from the URL and instead supply the model name inside the binary POST body, bypassing the URL-based authentication check. Version 6.1 (build 167) and earlier are confirmed vulnerable, with broader version coverage unknown because the vendor did not respond to coordinated disclosure by CERT-PL. Publicly available exploit code exists via the researcher's blog write-up, though there is no CISA KEV listing of active in-the-wild exploitation.

Technical ContextAI

Pro Cloud Server is Sparx Systems' middleware that exposes Enterprise Architect repositories over HTTP for multi-user modeling. Authentication is enforced by parsing the requested URL and the 'model' query parameter to determine which repository the caller is targeting and whether credentials are required. CWE-639 (Authorization Bypass Through User-Controlled Key) applies here because the same identifier (the model name) is accepted from two parallel input channels - the URL query string and a binary blob in the POST body - but the auth layer only inspects the URL channel, while the database layer trusts the POST body channel. The result is a confused-deputy condition where SQL queries derived from the POST body run without the URL-driven auth gate ever firing. The CPE 'cpe:2.3:a:sparx_systems:pro_cloud_server:*:*:*:*:*:*:*:*' covers all builds of the product family.

RemediationAI

No vendor-released patch identified at time of analysis - Sparx Systems did not respond to CERT-PL coordination and has not published a fixed build. As compensating controls, place Pro Cloud Server behind a reverse proxy or WAF that enforces authentication independently of the application (e.g., require HTTP Basic auth or mTLS at the proxy, which neutralizes the URL-vs-body parsing mismatch), and restrict network exposure of the Pro Cloud Server port to trusted internal networks or VPN clients only - both controls break legitimate anonymous read access if your deployment relied on it. Operators should also monitor POST requests whose URL lacks a 'model' parameter but whose body contains model identifiers, as that pattern matches the bypass. Track the CERT-PL advisory at https://cert.pl/en/posts/2026/05/CVE-2026-42096 and the researcher write-ups at https://sploit.tech/2026/05/19/Sparx-Enterprise-Architect-PCS.html and https://efigo.pl/blog/CVE-2026-42096/ for an eventual vendor fix announcement.

Share

CVE-2026-42097 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy