Skip to main content

Sparx Enterprise Architect CVE-2026-42098

| EUVDEUVD-2026-30930 HIGH
Use of Client-Side Authentication (CWE-603)
2026-05-19 CERT-PL GHSA-j7p7-w7pr-mwpc
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
May 19, 2026 - 14:31 vuln.today

DescriptionCVE.org

Sparx Enterprise Architect software has a security feature that limits user's actions to those specified in the role. An authenticated attacker can modify the Enterprise Architect client behavior (e.g. using a debugger) and log in as any other user or administrator - then it is possible to do every possible change to the repository.

The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 17.1 and below were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.

AnalysisAI

Privilege escalation in Sparx Enterprise Architect 17.1 and earlier allows an authenticated low-privilege user to impersonate any other user, including administrators, by tampering with the client-side application (e.g., via a debugger). Because role-based access enforcement happens in the client rather than on the server (CWE-603), an attacker who has any valid login can gain full repository control. No public exploit identified at time of analysis, although technical write-ups are referenced.

Technical ContextAI

Sparx Enterprise Architect is a widely deployed UML/SysML modeling and architecture tool used for enterprise repositories, often running in a client-server (Pro Cloud Server / PCS) configuration. The underlying weakness is CWE-603 (Use of Client-Side Authentication), meaning role and identity decisions are enforced inside the fat-client EA process rather than authoritatively on the server. The CPE cpe:2.3:a:sparx_systems:enterprise_architect:*:*:*:*:*:*:*:* indicates all editions are in scope, and an attacker manipulating the running client (debugger, memory patching, or protocol replay) can override the role checks and assume any account's identity when interacting with the repository backend.

RemediationAI

No vendor-released patch identified at time of analysis - Sparx Systems did not respond to CERT-PL's disclosure, so no fixed version can be cited. Defenders should monitor https://sparxsystems.com/products/ea/ and the CERT-PL advisory at https://cert.pl/en/posts/2026/05/CVE-2026-42096 for an updated build, and review the technical write-ups at https://sploit.tech/2026/05/19/Sparx-Enterprise-Architect-PCS.html and https://efigo.pl/blog/CVE-2026-42096/ for detection guidance. Compensating controls: restrict EA repository access to trusted users only and remove unneeded accounts, since any authenticated user can escalate (trade-off: limits collaboration); place the Pro Cloud Server behind a VPN or IP allowlist so the network-reachable backend is not exposed to untrusted networks (trade-off: breaks remote modeler workflows); enable verbose audit logging on the EA repository database and alert on role/permission changes and out-of-pattern administrative actions (trade-off: detection only, not prevention); where feasible, set the repository to read-only and require out-of-band review for changes until a patched version ships.

Share

CVE-2026-42098 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy