CVE-2026-4857 HIGH

CVE-2026-4857: SailPoint IdentityIQ Debug UI Incorrect Authorization

Vendor Sailpoint Technologies

Product IdentityIQ

Weakness CWE-863 · Incorrect authorization

Published April 15, 2026

Last update April 16, 2026

View on NVD All CVEs

CVSS base score

8.4/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

IdentityIQ 8.5, all IdentityIQ 8.5 patch levels prior to 8.5p2, IdentityIQ 8.4, and all IdentityIQ 8.4 patch levels prior to 8.4p4 allow authenticated users assigned the Debug Pages Read Only capability or any custom capability with the ViewAccessDebugPage SPRight to incorrectly create new IdentityIQ objects. Until a remediating security fix or patches containing this security fix are installed, the Debug Pages Read Only capability and any custom capabilities that contain the ViewAccessDebugPage SPRight should be unassigned from all identities and workgroups.

Key dates

02Disclosure timeline

April 15, 2026 CVE published

April 16, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-4857 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/863.html

Related vulnerabilities

Identifiers

CVE CVE-2026-4857

CWE CWE-863

CVSS 8.4 / HIGH

Affected versions

Vendor Sailpoint Technologies

Product IdentityIQ

Affected ≥ 8.5 and < 8.5p2

Vendor Sailpoint Technologies

Product IdentityIQ

Affected ≥ 8.4 and < 8.4p4

CVE-2026-4857: SailPoint IdentityIQ Debug UI Incorrect Authorization

01Description

02Disclosure timeline

03References

04Related CVE