Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Sparx Enterprise Architect software has a security feature that limits user's actions to those specified in the role. An authenticated attacker can modify the Enterprise Architect client behavior (e.g. using a debugger) and log in as any other user or administrator - then it is possible to do every possible change to the repository.
The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 17.1 and below were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
AnalysisAI
Privilege escalation in Sparx Enterprise Architect 17.1 and earlier allows an authenticated low-privilege user to impersonate any other user, including administrators, by tampering with the client-side application (e.g., via a debugger). Because role-based access enforcement happens in the client rather than on the server (CWE-603), an attacker who has any valid login can gain full repository control. No public exploit identified at time of analysis, although technical write-ups are referenced.
Technical ContextAI
Sparx Enterprise Architect is a widely deployed UML/SysML modeling and architecture tool used for enterprise repositories, often running in a client-server (Pro Cloud Server / PCS) configuration. The underlying weakness is CWE-603 (Use of Client-Side Authentication), meaning role and identity decisions are enforced inside the fat-client EA process rather than authoritatively on the server. The CPE cpe:2.3:a:sparx_systems:enterprise_architect:*:*:*:*:*:*:*:* indicates all editions are in scope, and an attacker manipulating the running client (debugger, memory patching, or protocol replay) can override the role checks and assume any account's identity when interacting with the repository backend.
RemediationAI
No vendor-released patch identified at time of analysis - Sparx Systems did not respond to CERT-PL's disclosure, so no fixed version can be cited. Defenders should monitor https://sparxsystems.com/products/ea/ and the CERT-PL advisory at https://cert.pl/en/posts/2026/05/CVE-2026-42096 for an updated build, and review the technical write-ups at https://sploit.tech/2026/05/19/Sparx-Enterprise-Architect-PCS.html and https://efigo.pl/blog/CVE-2026-42096/ for detection guidance. Compensating controls: restrict EA repository access to trusted users only and remove unneeded accounts, since any authenticated user can escalate (trade-off: limits collaboration); place the Pro Cloud Server behind a VPN or IP allowlist so the network-reachable backend is not exposed to untrusted networks (trade-off: breaks remote modeler workflows); enable verbose audit logging on the EA repository database and alert on role/permission changes and out-of-pattern administrative actions (trade-off: detection only, not prevention); where feasible, set the repository to read-only and require out-of-band review for changes until a patched version ships.
Same weakness CWE-603 – Use of Client-Side Authentication
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30930
GHSA-j7p7-w7pr-mwpc