PatchSiren cyber security CVE debrief
CVE-2026-42097 Sparx Systems CVE debrief
CVE-2026-42097 describes a critical authentication-bypass issue in Sparx Pro Cloud Server where request handling depends on a URL parameter. According to the supplied sources, an attacker can omit the "model" query parameter and place the model name in the POST binary blob, which can lead to SQL query execution without authentication. The issue was published on 2026-05-19, and the vendor was reportedly notified early but did not provide a confirmed affected-version range. The supplied evidence confirms version 6.1 (build 167) and earlier were tested and found vulnerable; newer versions were not tested in the corpus.
- Vendor
- Sparx Systems
- Product
- Pro Cloud Server
- CVSS
- CRITICAL 9.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-19
- Original CVE updated
- 2026-05-19
- Advisory published
- 2026-05-19
- Advisory updated
- 2026-05-19
Who should care
Administrators and operators running Sparx Pro Cloud Server, especially exposed internet-facing deployments; security teams responsible for authentication, API, and database access controls; and incident responders evaluating possible unauthorized data access or query execution on affected instances.
Technical summary
The available record ties the weakness to CWE-639 and a request-parsing/authentication decision based on the requested URL. The reported bypass works when the expected "model" query parameter is omitted and the model name is supplied in the POST binary payload instead. That behavior can allow unauthenticated SQL query execution. The corpus does not provide a confirmed full affected-version matrix; it only confirms vulnerability in version 6.1 (build 167) and below during testing.
Defensive priority
Immediate. This is a CVSS 9.3 critical issue with network reachability and no authentication required, so exposed deployments should be treated as high risk until patched or otherwise mitigated.
Recommended defensive actions
- Identify all Sparx Pro Cloud Server deployments and determine which are reachable from untrusted networks.
- Check whether any instance is at version 6.1 (build 167) or earlier; assume potential exposure for untested later versions until vendor guidance is available.
- Restrict network access to the service to trusted hosts or internal networks while remediation is pending.
- Monitor application and database logs for anomalous requests involving missing "model" query parameters or unusual POST payload handling.
- Apply vendor updates or mitigations as soon as they are available from the official product channel.
- If compromise is suspected, review database activity and credential exposure paths associated with the service.
Evidence notes
All claims in this debrief are limited to the supplied corpus: the NVD record, the CERT.PL-linked references, the Sparx Systems product page reference, and the referenced write-up. The corpus explicitly states that only version 6.1 (build 167) and below were tested and confirmed vulnerable, and that the vendor did not provide a confirmed vulnerable-version range. The weakness classification supplied with the record is CWE-639.
Official resources
CVE published 2026-05-19 and last modified 2026-05-19. The corpus indicates early vendor notification but no confirmed vendor-provided affected-version range. Testing in the supplied sources confirmed vulnerability in version 6.1 (build 167