Security Vulnerability with Sparx EA CVE-2026-42098

[Sunshine]

Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-42098
Sparx Enterprise Architect software has a security feature that limits user's actions to those specified in the role. An authenticated attacker can modify the Enterprise Architect client behavior (e.g. using a debugger) and log in as any other user or administrator - then it is possible to do every possible change to the repository. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 17.1 and below were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
Further scanning of the internet revealed some other vulnerabilities https://cert.pl/en/posts/2026/05/CVE-2026-42096/

Does anyone at Sparx Systems have any further information on whether this issues have been acknowledged and are they going to be fixed.
We were in middle of procurement process to purchase Trerado - Sparx EA and Prolaborate in the cloud. Which I'm putting on hold until we find out more.

[Geert Bellekens]

I think the "security" feature is a bit of a misnomer.
It's more like a feature to protect users from themselves.

It's not "real" security.
If you know what you are doing you can quite easily give yourself admin rights in EA and do whatever you want.

If you give users access to your repository you should trust them to not be bad actors.
If you can't, you shouldn't give them access.

That's different for something like Prolaborate. This product is intended to be accessible from the (big bad) internet, and it should have "real" security.

Geert