Authorization Flaw in SailPoint IdentityIQ Affects User Capabilities
CVE-2026-4857

8.4HIGH

Key Information:

Vendor: Sailpoint Technologies
Status: Identityiq
Vendor: CVE Published:; 15 April 2026

🔔 Create Sailpoint Technologies Vulnerability Alert

What is CVE-2026-4857?

The vulnerability in SailPoint's IdentityIQ versions 8.5 and 8.4 involves an authorization flaw that allows authenticated users with the Debug Pages Read Only capability or any custom capability containing the ViewAccessDebugPage SPRight to improperly create new IdentityIQ objects. This flaw can potentially lead to unauthorized access and manipulation of sensitive identity data. To mitigate this issue, it is advised that organizations temporarily revoke the Debug Pages Read Only capability and any custom capabilities that include the ViewAccessDebugPage SPRight from all identities and workgroups until a security patch is available.

Affected Version(s)

IdentityIQ 8.5 < 8.5p2

IdentityIQ 8.4 < 8.4p4

References

https://www.sailpoint.com/security-advisories/sailpoint-i...

CVSS V3.1

Score:

8.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 15, 2026
Vulnerability Reserved
Mar 25, 2026

Credit

wildwildwes

CVE-2026-4857 Data

JSON