CVE-2026-42098

Published May 19, 2026 Modified May 19, 2026 CWE-603

Description

Sparx Enterprise Architect software has a security feature that limits user's actions to those specified in the role. An authenticated attacker can modify the Enterprise Architect client behavior (e.g. using a debugger) and log in as any other user or administrator - then it is possible to do every possible change to the repository. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 17.1 and below were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.

EPSS — Exploit Prediction

0.0004
Probability of exploitation
0.13%
Percentile rank

EPSS estimates the probability that this vulnerability will be exploited in the wild within the next 30 days. A higher score means more likely to be exploited.

Weakness Type (CWE)

CWE-603 CWE-603

References

Frequently Asked Questions

What is CVE-2026-42098? +
Sparx Enterprise Architect software has a security feature that limits user's actions to those specified in the role. An authenticated attacker can modify the Enterprise Architect client behavior (e.g. using a debugger) and log in as any other user or administrator - then it is possible to do every possible change to the repository. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 17.1 and below were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
How do I check if I'm vulnerable to CVE-2026-42098? +
You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2026-40551

mpGabinet performs client-side authentication. An attacker with access to any application instance connected to the backend server can bypass the …
CVE-2024-39375 9.8

TELSAT marKoni FM Transmitters are vulnerable to an attacker bypassing authentication and gaining administrator privileges.
CVE-2025-12868 9.8

New Site Server developed by CyberTutor has a Use of Client-Side Authentication vulnerability, allowing unauthenticated remote attackers to modify the …
CVE-2025-62650 8.3

The Restaurant Brands International (RBI) assistant platform through 2025-09-06 relies on client-side authentication for use of the diagnostic screen.
CVE-2025-61940 8.3

NMIS/BioDose V22.02 and previous versions rely on a common SQL Server user account to access data in the database. User …
CVE-2024-45785 7.5

MUSASI version 3 contains an issue with use of client-side authentication. If this vulnerability is exploited, other users' credential and …

Don't wait for an exploit

Scan your website for vulnerabilities like CVE-2026-42098 — free, no signup required.

Start Free Scan