What is CVE-2026-42097?

CVE-2026-42097 is a high-severity vulnerability in Sparx Systems Pro Cloud Server, classified under Authorization Bypass Through User-Controlled Key. CVSS score: 8.8/10. Published 2026-05-19.

How severe is CVE-2026-42097?

High severity. CVSS v3 base score is 8.8 out of 10.

Auth bypass in Sparx Systems Pro Cloud Server

CVE-2026-42097

Sparx Pro Cloud Server requires authentication based on requested URL. An attacker can omit the "model" query parameter and send the model name only in the binary blob in POST request allowing SQL query execution without authentication. T…

Vulnerability class: IDOR (Insecure Direct Object Reference)

EPSS: 0.002 (43.3th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 8.8 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.

Affected products

Sparx Systems Pro Cloud Server — versions 0
Sparxsystems Pro_cloud_server

Weakness classification (CWE)

CWE-639 — Authorization Bypass Through User-Controlled Key

References

cvd@cert.pl (Third Party Advisory, third-party-advisory)
cvd@cert.pl (Product, product)
cvd@cert.pl (Exploit, technical-description, Third Party Advisory)
cvd@cert.pl (Third Party Advisory, third-party-advisory)

Frequently asked questions

What is CVE-2026-42097?: CVE-2026-42097 is a high-severity vulnerability in Sparx Systems Pro Cloud Server, classified under Authorization Bypass Through User-Controlled Key. CVSS score: 8.8/10. Published 2026-05-19.
How severe is CVE-2026-42097?: High severity. CVSS v3 base score is 8.8 out of 10.