CVE-2025-15621

MEDIUM

Sparx Enterprise Architect Client does not verify the receiver of OAuth2 credentials during OpenID authentication

Title source: cna

Description

Insufficiently Protected Credentials in Sparx Systems Pty Ltd. Sparx Enterprise Architect. Client does not verify the receiver of OAuth2 credentials during OpenID authentication

References (1)

Core 1

Core References

https://sparxsystems.com/products/ea/17.1/history.html

Scores

CVSS v4 5.7

EPSS 0.0011

EPSS Percentile 1.8%

CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N/S:P/AU:Y/V:C/RE:M

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-522

Status published

Products (2)

Sparx Systems Pty Ltd./Sparx Enterprise Architect 16.1.1627

Sparx Systems Pty Ltd./Sparx Enterprise Architect 17.1.1714

Published Apr 16, 2026

Tracked Since Apr 16, 2026