Sparx Enterprise Architect Exposes Sensitive OAuth2 Credentials

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

6.2

Sparx Enterprise Architect Exposes Sensitive OAuth2 Credentials

CVE-2025-15622

Summary

Sensitive credentials for Sparx Enterprise Architect's OAuth2 integration are not properly protected, allowing an attacker to access the system with elevated privileges. This could lead to unauthorized access to sensitive data and system compromise. To mitigate this, update to the latest version of Sparx Enterprise Architect and ensure you're using a secure OAuth2 client secret.

Original title

Original description

Insufficiently Protected Credentials vulnerability in Sparx Systems Pty Ltd. Sparx Enterprise Architect. Client reveals plaintext OAuth2 client secretDesktop client decodes the secret and uses the plaintext secret to exchange it into an access and id tokens as part of the OpenID authentication flow.

nvd CVSS4.0 6.2

Vulnerability type

CWE-522 Insufficiently Protected Credentials

https://sparxsystems.com/products/ea/17.1/history.html

Published: 17 Apr 2026 · Updated: 17 Apr 2026 · First seen: 17 Apr 2026