Description
Insufficiently Protected Credentials in Sparx Systems Pty Ltd. Sparx Enterprise Architect. Client does not verify the receiver of OAuth2 credentials during OpenID authentication
Published: 2026-04-16
Score: 5.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Credentials can be intercepted or redirected, allowing an attacker to gain unauthorized access using OAuth2 tokens
Action: Patch
AI Analysis

Impact

The vulnerability is an insufficiently protected credentials issue: the client does not verify the receiver of OAuth2 credentials during OpenID authentication. This allows an attacker to intercept or redirect OAuth2 access or ID tokens, potentially gaining authentication credentials and unauthorized access.

Affected Systems

Sparx Systems Pty Ltd. Sparx Enterprise Architect is affected. All releases are potentially impacted until a patch is applied. No specific version information is provided.

Risk and Exploitability

The CVSS score is 5.7, indicating moderate severity. EPSS is not available, so the current exploitation probability is unclear. The vulnerability is not listed in the CISA KEV catalog. Attackers would likely need to control or spoof the OpenID provider, or intercept traffic during the authentication flow; the attack vector is inferred from the nature of the credential misuse.

Generated by OpenCVE AI on April 17, 2026 at 04:05 UTC.

Remediation

Vendor Solution

Update to fixed version

OpenCVE Recommended Actions

  • Update Sparx Enterprise Architect to the latest released version that includes the fix
  • Verify that the application correctly checks the issuer and audience fields of OAuth2 tokens and that it does not accept tokens from untrusted sources
  • Configure network controls such as TLS inspection and enforce strict HTTPS usage to prevent man‑in‑the‑middle interception of authentication traffic

Generated by OpenCVE AI on April 17, 2026 at 04:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Sparxsystems
Sparxsystems enterprise Architect
Vendors & Products Sparxsystems
Sparxsystems enterprise Architect

Thu, 16 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 16 Apr 2026 12:45:00 +0000

Type Values Removed Values Added
Description Insufficiently Protected Credentials in Sparx Systems Pty Ltd. Sparx Enterprise Architect. Client does not verify the receiver of OAuth2 credentials during OpenID authentication
Title Sparx Enterprise Architect Client does not verify the receiver of OAuth2 credentials during OpenID authentication
Weaknesses CWE-522
References
Metrics cvssV4_0

{'score': 5.7, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N/S:P/AU:Y/V:C/RE:M'}

Subscriptions

Sparxsystems Enterprise Architect
cve-icon MITRE

Status: PUBLISHED

Assigner: NCSC-FI

Published:

Updated: 2026-04-16T12:51:51.633Z

Reserved: 2026-04-09T08:02:25.619Z

Link: CVE-2025-15621

cve-icon Vulnrichment

Updated: 2026-04-16T12:51:47.736Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-16T13:16:43.423

Modified: 2026-04-17T15:17:00.957

Link: CVE-2025-15621

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T04:15:09Z

Weaknesses