CVE-2026-42098
Awaiting Analysis Awaiting Analysis - Queue
Authentication Bypass in Sparx Enterprise Architect

Publication date: 2026-05-19

Last updated on: 2026-05-19

Assigner: CERT.PL

Description
Sparx Enterprise Architect software has a security feature that limits user's actions to those specified in the role. An authenticated attacker can modify the Enterprise Architect client behavior (e.g. using a debugger) and log in as any other user or administrator - then it is possible to do every possible change to the repository. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 17.1 and below were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-19
Last Modified
2026-05-19
Generated
2026-06-10
AI Q&A
2026-05-19
EPSS Evaluated
2026-06-08
NVD
CVE-2026-42098
EUVD
EUVD-2026-30930
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
sparxsystems enterprise_architect to 17.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-603 A client/server product performs authentication within client code but not in server code, allowing server-side authentication to be bypassed via a modified client that omits the authentication check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Sparx Enterprise Architect software, where a security feature intended to restrict user actions based on their role can be bypassed. An authenticated attacker can manipulate the client behavior, for example by using a debugger, to impersonate any other user or administrator. This allows the attacker to perform any changes to the repository without proper authorization.

Impact Analysis

The impact of this vulnerability is significant because an attacker who gains authenticated access can escalate privileges and act as any user or administrator. This means they can make any changes to the repository, potentially leading to unauthorized data modification, data loss, or disruption of business processes.

Mitigation Strategies

The vulnerability affects Sparx Enterprise Architect version 17.1 and below. Since the vendor has not provided detailed information or a patch, the immediate mitigation step is to avoid using version 17.1 and below or restrict access to trusted users only.

Additionally, monitor and control the use of debuggers or tools that could modify the client behavior, as an authenticated attacker can exploit this to log in as any user or administrator.

Compliance Impact

The vulnerability allows an authenticated attacker to modify the Enterprise Architect client behavior and log in as any other user or administrator, enabling unauthorized changes to the repository.

Such unauthorized access and modification capabilities could lead to violations of data protection and security requirements mandated by standards like GDPR and HIPAA, which require strict access controls and protection of sensitive data.

However, the provided information does not explicitly describe the impact on compliance with these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42098. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart