Description
This vulnerability impacts all versions of IdentityIQ and allows an authenticated identity that is the requestor or assignee of a work item to edit the definition of a role without having an assigned capability that would allow role editing.
Published: 2026-04-29
Score: 8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an authenticated identity who is a requestor or assignee of a work item to edit the definition of a role without possessing the required capability. This flaw enables an attacker to modify role configurations and elevate privileges beyond what their assigned permissions allow.

Affected Systems

SailPoint Technologies IdentityIQ – all product versions are impacted. No specific version ranges are listed, so any deployed instance of IdentityIQ is potentially vulnerable.

Risk and Exploitability

The CVSS score of 8 indicates a high severity vulnerability. Because the exploitable conditions require only an authenticated user who is the requestor or assignee of a work item, the attack can be carried out by anyone who has legitimate access to the system and holds such a role. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, but the lack of public exploitation data does not diminish the risk for organizations that have this flaw present. The primary risk is the potential for an attacker to alter role definitions and thereby gain unauthorized authority within the identity management environment.

Generated by OpenCVE AI on April 29, 2026 at 21:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the fixed version of SailPoint IdentityIQ that resolves the role editing authorization issue.
  • Configure role editing permissions so that only users with explicit administrative capability may modify role definitions, instead of granting this right to all requestors or assignees of work items.
  • Review and harden any custom workflows or scripts that permit role modifications for work item participants, ensuring they adhere to least‑privilege principles.

Generated by OpenCVE AI on April 29, 2026 at 21:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Sailpoint Technologies
Sailpoint Technologies identityiq
Vendors & Products Sailpoint Technologies
Sailpoint Technologies identityiq

Wed, 29 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 29 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description This vulnerability impacts all versions of IdentityIQ and allows an authenticated identity that is the requestor or assignee of a work item to edit the definition of a role without having an assigned capability that would allow role editing.
Title IdentityIQ Role Editor Incorrect Authorization Vulnerability
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

Sailpoint Technologies Identityiq
cve-icon MITRE

Status: PUBLISHED

Assigner: SailPoint

Published:

Updated: 2026-04-30T03:56:06.567Z

Reserved: 2026-04-06T17:12:18.180Z

Link: CVE-2026-5712

cve-icon Vulnrichment

Updated: 2026-04-29T18:12:24.929Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-29T18:16:05.180

Modified: 2026-04-30T15:48:26.580

Link: CVE-2026-5712

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T21:15:16Z

Weaknesses