CVE-2025-15621 MEDIUM

CVE-2025-15621: Sparx Enterprise Architect Client does not verify the receiver of OAuth2 credentials during OpenID authentication

Vendor Sparx Systems Pty Ltd.
Product Sparx Enterprise Architect
Weakness CWE-522 · Insufficiently protected credentials
Published April 16, 2026
Last update April 16, 2026

CVSS base score

5.7/10
Attack vector Local
Attack complexity High
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N/S:P/AU:Y/V:C/RE:M

What the vulnerability does

01Description

Insufficiently Protected Credentials in Sparx Systems Pty Ltd. Sparx Enterprise Architect. Client does not verify the receiver of OAuth2 credentials during OpenID authentication

Key dates

02Disclosure timeline

April 16, 2026 CVE published
April 16, 2026 Record updated