CVE-2025-15622

MEDIUM

Sparx Enterprise Architect Client reveals plaintext OAuth2 client secret

Title source: cna

Description

Insufficiently Protected Credentials vulnerability in Sparx Systems Pty Ltd. Sparx Enterprise Architect. Client reveals plaintext OAuth2 client secretDesktop client decodes the secret and uses the plaintext secret to exchange it into an access and id tokens as part of the OpenID authentication flow.

References (1)

https://sparxsystems.com/products/ea/17.1/history.html

Scores

CVSS v4 6.2

EPSS 0.0002

EPSS Percentile 5.7%

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:H/SI:L/SA:N/S:P/AU:Y/V:C/RE:M/U:Red

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-522

Status published

Products (2)

Sparx Systems Pty Ltd./Sparx Enterprise Architect 16.1.1627

Sparx Systems Pty Ltd./Sparx Enterprise Architect 17.1.1714

Published Apr 17, 2026

Tracked Since Apr 17, 2026