SB2026052743 - Improper authorization in Sparx Enterprise Architect

Description

This security bulletin contains information about 1 vulnerability.

1) Improper Authorization (CVE-ID: CVE-2026-42098)

CWE-ID: CWE-285 - Improper Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to perform unauthorized actions on the model.

The vulnerability exists due to improper access control in the Enterprise Architect client security enforcement when processing authenticated model operations. A remote user can modify the client behavior to log in as another user or administrator to perform unauthorized actions on the model.

The issue also applies to cloud models in configurations that do not require server HTTP authentication or when using the login as different user option.

Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References

• https://seclists.org/fulldisclosure/2026/May/17
• https://sploit.tech/2026/05/19/Sparx-Enterprise-Architect-PCS.html