Improper Authorization in Sparx Enterprise Architect - CVE-2026-42098
Published: May 27, 2026
Vulnerability identifier: #VU132371
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-42098
CWE-ID: CWE-285
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Sparx Systems
Affected software:
Sparx Enterprise Architect
Sparx Enterprise Architect
Detailed vulnerability description
The vulnerability allows a remote user to perform unauthorized actions on the model.
The vulnerability exists due to improper access control in the Enterprise Architect client security enforcement when processing authenticated model operations. A remote user can modify the client behavior to log in as another user or administrator to perform unauthorized actions on the model.
The issue also applies to cloud models in configurations that do not require server HTTP authentication or when using the login as different user option.
How to mitigate CVE-2026-42098
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.