CVE-2026-42098
CWE-603Published: May 19, 2026· Updated: May 19, 2026
Official Description
Sparx Enterprise Architect software has a security feature that limits user's actions to those specified in the role. An authenticated attacker can modify the Enterprise Architect client behavior (e.g. using a debugger) and log in as any other user or administrator - then it is possible to do every possible change to the repository.
The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 17.1 and below were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
Technical Analysis
CVE-2026-42098 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.
Exploitation requires low privileges, which limits the exposure to scenarios where an attacker has already gained initial access.
CVSS v3.1 Vector Breakdown
Exploit & PoC Resources
All References (4)
Quick Facts
Related CVEs (CWE-603)
Recommended Actions
- →Apply vendor patches immediately
- →Monitor CVE-2026-42098 in threat intel feeds
- →Review IDS/IPS signatures for exploitation attempts