Description
Insufficiently Protected Credentials vulnerability in Sparx Systems Pty Ltd. Sparx Enterprise Architect. Client reveals plaintext OAuth2 client secretDesktop client decodes the secret and uses the plaintext secret to exchange it into an access and id tokens as part of the OpenID authentication flow.
Published: 2026-04-17
Score: 6.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Exposure of OAuth2 client secret leading to credential theft
Action: Immediate Patch
AI Analysis

Impact

The vulnerability allows the client application to expose the OAuth2 client secret in plaintext. An attacker who obtains this secret can use it to request access and ID tokens through the OpenID authentication flow, effectively impersonating the legitimate client and gaining unauthorized access to protected resources.

Affected Systems

Sparx Systems Pty Ltd. Sparx Enterprise Architect is affected. No specific version information is provided in the available data.

Risk and Exploitability

The CVSS score of 6.2 reflects moderate severity. EPSS is not available and the vulnerability is not listed in the CISA KEV catalog. Exploitation would likely require an attacker to gain local access to a system running the client or to trick a user into opening a malicious configuration that triggers the secret disclosure. Once the secret is exposed, the attacker can immediately obtain authentication tokens without further interaction.

Generated by OpenCVE AI on April 17, 2026 at 10:21 UTC.

Remediation

Vendor Solution

Update to fixed version

OpenCVE Recommended Actions

  • Apply the vendor patch to the fixed version of Sparx Enterprise Architect.
  • If a patch is not immediately available, disable OAuth2 client authentication or restrict outbound traffic from the client to mitigate token issuance.
  • Rotate or regenerate client secrets and monitor for unauthorized token usage to limit potential impact.

Generated by OpenCVE AI on April 17, 2026 at 10:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Sparxsystems
Sparxsystems enterprise Architect
Vendors & Products Sparxsystems
Sparxsystems enterprise Architect

Fri, 17 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 17 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
Description Insufficiently Protected Credentials vulnerability in Sparx Systems Pty Ltd. Sparx Enterprise Architect. Client reveals plaintext OAuth2 client secretDesktop client decodes the secret and uses the plaintext secret to exchange it into an access and id tokens as part of the OpenID authentication flow.
Title Sparx Enterprise Architect Client reveals plaintext OAuth2 client secret
Weaknesses CWE-522
References
Metrics cvssV4_0

{'score': 6.2, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:H/SI:L/SA:N/S:P/AU:Y/V:C/RE:M/U:Red'}

Subscriptions

Sparxsystems Enterprise Architect
cve-icon MITRE

Status: PUBLISHED

Assigner: NCSC-FI

Published:

Updated: 2026-04-17T12:56:53.740Z

Reserved: 2026-04-09T08:02:28.850Z

Link: CVE-2025-15622

cve-icon Vulnrichment

Updated: 2026-04-17T12:50:48.107Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-17T09:16:03.633

Modified: 2026-04-17T15:13:15.930

Link: CVE-2025-15622

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T20:40:12Z

Weaknesses