Insufficiently Protected Credentials in Sparx Enterprise Architect
CVE-2025-15622

6.2MEDIUM

Key Information:

Vendor: Sparx Systems Pty Ltd.
Status: Sparx Enterprise Architect
Vendor: CVE Published:; 17 April 2026

🔔 Create Sparx Systems Pty Ltd. Vulnerability Alert

What is CVE-2025-15622?

The vulnerability in Sparx Enterprise Architect stems from inadequate protection of sensitive OAuth2 credentials. The desktop client exposes the client secret in plaintext, allowing potential attackers to decode it and utilize it within the OpenID authentication process. This flaw pertains to the incorrect handling of authentication secrets, ultimately compromising the security of user access tokens and identity verification mechanisms.

Affected Version(s)

Sparx Enterprise Architect 16.1.1627

Sparx Enterprise Architect 17.1.1714

References

https://sparxsystems.com/products/ea/17.1/history.html

CVSS V4

Score:

6.2

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 17, 2026
Vulnerability Reserved
Apr 9, 2026

Credit

Pasi Orovuo, Solita Oy

Henri Hämäläinen, Solita Oy

Samu Ahvenainen, Solita Oy

CVE-2025-15622 Data

JSON