CVE-2026-4857 - Vulnerability Details

- SailPoint IdentityIQ Debug UI Incorrect Authorization

Description

IdentityIQ 8.5, all
IdentityIQ 8.5 patch levels prior to 8.5p2, IdentityIQ 8.4, and all IdentityIQ
8.4 patch levels prior to 8.4p4 allow authenticated users assigned the Debug
Pages Read Only capability or any custom capability with the ViewAccessDebugPage
SPRight to incorrectly create new IdentityIQ objects. Until a remediating security fix or patches
containing this security fix are installed, the Debug Pages Read Only
capability and any custom capabilities that contain the ViewAccessDebugPage
SPRight should be unassigned from all identities and workgroups.

Published: 2026-04-15

Score: 8.4 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

IdentityIQ 8.5 and 8.4 allow authenticated users who possess the Debug Pages Read Only capability or any custom capability containing the ViewAccessDebugPage SPRight to create new IdentityIQ objects without proper checks. This flaw, classified as CWE-863, can permit users to introduce or modify objects that may alter system configuration or grant additional permissions, thereby elevating privileges and compromising the integrity of the data and the confidentiality of the configuration. The issue does not expose information directly but enables a misuse of the system's object creation functionality.

Affected Systems

SailPoint Technologies IdentityIQ versions 8.5 before patch level 8.5p2 and 8.4 before patch level 8.4p4 are impacted. Users of these releases with the specified capabilities are susceptible; no other versions are mentioned.

Risk and Exploitability

A CVSS score of 8.4 signals a high severity vulnerability and the lack of an EPSS value indicates that current exploitation probability is not quantified. The vulnerability appears to be exploitable only by authenticated internal users who have been granted the relevant debug-related capabilities. No public exploitation has been reported and the vulnerability is not listed in the CISA KEV catalog. Until a vendor‑issued security fix is available, the primary risk lies in privilege escalation for any identity that retains those debug capabilities, manipulating object creation control.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

SailPoint Technologies

IdentityIQ

unaffected

Version	Status	Constraints
`8.5`	affected	< 8.5p2
`8.4`	affected	< 8.4p4

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Remove the Debug Pages Read Only capability and any custom capabilities that include the ViewAccessDebugPage SPRight from all users and workgroups as an immediate countermeasure.
Conduct a thorough review of access control assignments to ensure no user retains debug‑related capabilities, and document any changes for audit purposes.
Monitor the SailPoint security advisories or vendor website for an official patch or correct fix, and plan to apply it once released to fully eliminate the authorization flaw.

Generated by OpenCVE AI on April 16, 2026 at 02:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://www.sailpoint.com/security-advisories/sailpoint-identityiq-debug-ui-incorrect-authorization-vulnerability-cve-2026-4857

History

Wed, 15 Apr 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 15 Apr 2026 18:30:00 +0000

Type	Values Removed	Values Added
Description		IdentityIQ 8.5, all IdentityIQ 8.5 patch levels prior to 8.5p2, IdentityIQ 8.4, and all IdentityIQ 8.4 patch levels prior to 8.4p4 allow authenticated users assigned the Debug Pages Read Only capability or any custom capability with the ViewAccessDebugPage SPRight to incorrectly create new IdentityIQ objects. Until a remediating security fix or patches containing this security fix are installed, the Debug Pages Read Only capability and any custom capabilities that contain the ViewAccessDebugPage SPRight should be unassigned from all identities and workgroups.
Title		SailPoint IdentityIQ Debug UI Incorrect Authorization
Weaknesses		CWE-863
References		https://www.sailpoint.com/security-advisories/sailpoint-identityiq-debug-ui-incorrect-authorization-vulnerability-cve-2026-4857
Metrics		cvssV3_1 `{'score': 8.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: SailPoint

Published: 2026-04-15T18:08:45.737Z

Updated: 2026-04-16T03:55:39.481Z

Reserved: 2026-03-25T15:51:35.248Z

Link: CVE-2026-4857

Vulnrichment

Updated: 2026-04-15T18:32:45.456Z

NVD

Status : Received

Published: 2026-04-15T19:16:37.730

Modified: 2026-04-15T19:16:37.730

Link: CVE-2026-4857

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-16T02:30:21Z

Weaknesses

CWE-863

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object