CVE-2025-15622 MEDIUM

CVE-2025-15622: Sparx Enterprise Architect Client reveals plaintext OAuth2 client secret

Vendor Sparx Systems Pty Ltd.
Product Sparx Enterprise Architect
Weakness CWE-522 · Insufficiently protected credentials
Published April 17, 2026
Last update April 17, 2026

CVSS base score

6.2/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:H/SI:L/SA:N/S:P/AU:Y/V:C/RE:M/U:Red

What the vulnerability does

01Description

Insufficiently Protected Credentials vulnerability in Sparx Systems Pty Ltd. Sparx Enterprise Architect. Client reveals plaintext OAuth2 client secretDesktop client decodes the secret and uses the plaintext secret to exchange it into an access and id tokens as part of the OpenID authentication flow.

Key dates

02Disclosure timeline

April 17, 2026 CVE published
April 17, 2026 Record updated