CVE-2025-15622

Sparx Enterprise Architect Client reveals plaintext OAuth2 client secret

CVSS 6.2 MEDIUMEPSS 0.2%CWE-522

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 6.2EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

17 Apr 2026Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Insufficiently Protected Credentials vulnerability in Sparx Systems Pty Ltd. Sparx Enterprise Architect. Client reveals plaintext OAuth2 client secretDesktop client decodes the secret and uses the plaintext secret to exchange it into an access and id tokens as part of the OpenID authentication flow.

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:H/SI:L/SA:N/S:P/AU:Y/V:C/RE:M/U:Red

Affected products

Sparx Systems Pty Ltd. · Sparx Enterprise Architect

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://sparxsystems.com/products/ea/17.1/history.html