Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Sparx Pro Cloud Server requires authentication based on requested URL. An attacker can omit the "model" query parameter and send the model name only in the binary blob in POST request allowing SQL query execution without authentication.
The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.1 (build 167) and below were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
AnalysisAI
Unauthenticated SQL execution affects Sparx Pro Cloud Server when attackers omit the 'model' query parameter from the URL and instead supply the model name inside the binary POST body, bypassing the URL-based authentication check. Version 6.1 (build 167) and earlier are confirmed vulnerable, with broader version coverage unknown because the vendor did not respond to coordinated disclosure by CERT-PL. Publicly available exploit code exists via the researcher's blog write-up, though there is no CISA KEV listing of active in-the-wild exploitation.
Technical ContextAI
Pro Cloud Server is Sparx Systems' middleware that exposes Enterprise Architect repositories over HTTP for multi-user modeling. Authentication is enforced by parsing the requested URL and the 'model' query parameter to determine which repository the caller is targeting and whether credentials are required. CWE-639 (Authorization Bypass Through User-Controlled Key) applies here because the same identifier (the model name) is accepted from two parallel input channels - the URL query string and a binary blob in the POST body - but the auth layer only inspects the URL channel, while the database layer trusts the POST body channel. The result is a confused-deputy condition where SQL queries derived from the POST body run without the URL-driven auth gate ever firing. The CPE 'cpe:2.3:a:sparx_systems:pro_cloud_server:*:*:*:*:*:*:*:*' covers all builds of the product family.
RemediationAI
No vendor-released patch identified at time of analysis - Sparx Systems did not respond to CERT-PL coordination and has not published a fixed build. As compensating controls, place Pro Cloud Server behind a reverse proxy or WAF that enforces authentication independently of the application (e.g., require HTTP Basic auth or mTLS at the proxy, which neutralizes the URL-vs-body parsing mismatch), and restrict network exposure of the Pro Cloud Server port to trusted internal networks or VPN clients only - both controls break legitimate anonymous read access if your deployment relied on it. Operators should also monitor POST requests whose URL lacks a 'model' parameter but whose body contains model identifiers, as that pattern matches the bypass. Track the CERT-PL advisory at https://cert.pl/en/posts/2026/05/CVE-2026-42096 and the researcher write-ups at https://sploit.tech/2026/05/19/Sparx-Enterprise-Architect-PCS.html and https://efigo.pl/blog/CVE-2026-42096/ for an eventual vendor fix announcement.
More in Pro Cloud Server
View allBroken access control in Sparx Systems Pro Cloud Server 6.1 (build 167) and earlier allows authenticated low-privileged
Denial of service in Sparx Systems Pro Cloud Server 6.1 (build 167) and earlier allows authenticated remote attackers to
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30931
GHSA-hf6p-xc3f-p4f9