Sparx Enterprise Architect Client reveals plaintext OAuth2 client secret

6.2 / 10

MEDIUM

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:H/SI:L/SA:N/S:P/AU:Y/V:C/RE:M/U:Red

Description

Insufficiently Protected Credentials vulnerability in Sparx Systems Pty Ltd. Sparx Enterprise Architect. Client reveals plaintext OAuth2 client secretDesktop client decodes the secret and uses the plaintext secret to exchange it into an access and id tokens as part of the OpenID authentication flow.

Basic Information

ID CVE-2025-15622

Source NCSC-FI

Published Apr 17, 2026 at 08:35

Affected Product

Vendor Sparx Systems Pty Ltd.

Product Sparx Enterprise Architect

Version 16.1.1627

Affected Versions Sparx Systems Pty Ltd. Sparx Enterprise Architect 16.1.1627

CWE Classification

CWE-522

References

sparxsystems.com /products/ea/17.1/history.html

{
    "lastseen": "",
    "description": "Insufficiently Protected Credentials vulnerability in Sparx Systems Pty Ltd. Sparx Enterprise Architect.\u00a0Client reveals plaintext OAuth2 client secretDesktop client decodes the secret and uses the plaintext secret to exchange it into an access and id tokens as part of the OpenID authentication flow.",
    "published": "2026-04-17T08:35:05.019Z",
    "modified": "2026-04-17T08:35:05.019Z",
    "type": "cve",
    "title": "Sparx Enterprise Architect Client reveals plaintext OAuth2 client secret",
    "source": "NCSC-FI",
    "references": "https://sparxsystems.com/products/ea/17.1/history.html",
    "id": "CVE-2025-15622",
    "bulletinFamily": "",
    "cwe": [
        "CWE-522"
    ],
    "cvelist": null,
    "sourceData": "Sparx Systems Pty Ltd. Sparx Enterprise Architect 16.1.1627",
    "sourceHref": "",
    "cvss": {
        "score": 6.2,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:H/SI:L/SA:N/S:P/AU:Y/V:C/RE:M/U:Red",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Sparx Enterprise Architect",
    "version": "16.1.1627",
    "vendor": "Sparx Systems Pty Ltd.",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Sparx Enterprise Architect Client reveals plaintext OAuth2 client secret_CVE-2025-15622