CVE-2026-42097

Vulnerability

Sparx Pro Cloud Server versions through 6.1 (build 167) and possibly later contain an authorization bypass vulnerability (CWE-639). The server authenticates requests based on the URL, but an attacker can omit the model query parameter and instead include the model name in the binary blob of a POST request. This allows SQL query execution without any authentication [1][2].

Exploitation

An attacker with network access to the server can send a crafted POST request that omits the model query parameter and places the model name in the binary payload. No authentication or user interaction is required. The server processes the request without proper authorization, enabling SQL injection [1][2].

Impact

Successful exploitation allows an unauthenticated attacker to execute arbitrary SQL queries, leading to unauthorized read, write, or deletion of database contents. This could compromise sensitive data, alter system configurations, or disrupt service availability. The attacker gains database-level access without any prior privileges [1][2].

Mitigation

No official patch or vendor response has been provided. Only version 6.1 (build 167) and below have been confirmed vulnerable; newer versions may also be affected. Recommended mitigations include restricting network access to the server, implementing additional input validation, or disabling the vulnerable endpoint until a vendor fix is available. The vulnerability is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog [1][2].