{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4857", "assignerOrgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719", "state": "PUBLISHED", "assignerShortName": "SailPoint", "dateReserved": "2026-03-25T15:51:35.248Z", "datePublished": "2026-04-15T18:08:45.737Z", "dateUpdated": "2026-04-16T03:55:39.481Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719", "shortName": "SailPoint", "dateUpdated": "2026-04-15T18:13:53.171Z"}, "title": "SailPoint IdentityIQ Debug UI Incorrect Authorization", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "affected": [{"vendor": "SailPoint Technologies", "product": "IdentityIQ", "versions": [{"status": "affected", "version": "8.5", "lessThan": "8.5p2", "versionType": "custom"}, {"status": "affected", "version": "8.4", "lessThan": "8.4p4", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "IdentityIQ 8.5, all\nIdentityIQ 8.5 patch levels prior to 8.5p2, IdentityIQ 8.4, and all IdentityIQ\n8.4 patch levels prior to 8.4p4 allow authenticated users assigned the Debug\nPages Read Only capability or any custom capability with the ViewAccessDebugPage\nSPRight to incorrectly create new IdentityIQ objects.\u00a0 Until a remediating security fix or patches\ncontaining this security fix are installed, the Debug Pages Read Only\ncapability and any custom capabilities that contain the ViewAccessDebugPage\nSPRight should be unassigned from all identities and workgroups.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<div>\n\n<p><span>IdentityIQ 8.5, all\nIdentityIQ 8.5 patch levels prior to 8.5p2, IdentityIQ 8.4, and all IdentityIQ\n8.4 patch levels prior to 8.4p4 allow authenticated users assigned the Debug\nPages Read Only capability or any custom capability with the ViewAccessDebugPage\nSPRight to incorrectly create new IdentityIQ objects.<span>&nbsp; </span>Until a remediating security fix or patches\ncontaining this security fix are installed, the Debug Pages Read Only\ncapability and any custom capabilities that contain the ViewAccessDebugPage\nSPRight should be unassigned from all identities and workgroups.</span></p>\n\n</div>"}]}], "references": [{"url": "https://www.sailpoint.com/security-advisories/sailpoint-identityiq-debug-ui-incorrect-authorization-vulnerability-cve-2026-4857"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "HIGH", "baseScore": 8.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H"}}], "credits": [{"lang": "en", "value": "wildwildwes", "type": "reporter"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-4857"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T03:55:39.481Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4857", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-15T18:32:08.513579Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T18:32:45.456Z"}}], "cna": {"title": "SailPoint IdentityIQ Debug UI Incorrect Authorization", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "reporter", "value": "wildwildwes"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "SailPoint Technologies", "product": "IdentityIQ", "versions": [{"status": "affected", "version": "8.5", "lessThan": "8.5p2", "versionType": "custom"}, {"status": "affected", "version": "8.4", "lessThan": "8.4p4", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.sailpoint.com/security-advisories/sailpoint-identityiq-debug-ui-incorrect-authorization-vulnerability-cve-2026-4857"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "IdentityIQ 8.5, all\nIdentityIQ 8.5 patch levels prior to 8.5p2, IdentityIQ 8.4, and all IdentityIQ\n8.4 patch levels prior to 8.4p4 allow authenticated users assigned the Debug\nPages Read Only capability or any custom capability with the ViewAccessDebugPage\nSPRight to incorrectly create new IdentityIQ objects.\u00a0 Until a remediating security fix or patches\ncontaining this security fix are installed, the Debug Pages Read Only\ncapability and any custom capabilities that contain the ViewAccessDebugPage\nSPRight should be unassigned from all identities and workgroups.", "supportingMedia": [{"type": "text/html", "value": "<div>\n\n<p><span>IdentityIQ 8.5, all\nIdentityIQ 8.5 patch levels prior to 8.5p2, IdentityIQ 8.4, and all IdentityIQ\n8.4 patch levels prior to 8.4p4 allow authenticated users assigned the Debug\nPages Read Only capability or any custom capability with the ViewAccessDebugPage\nSPRight to incorrectly create new IdentityIQ objects.<span>&nbsp; </span>Until a remediating security fix or patches\ncontaining this security fix are installed, the Debug Pages Read Only\ncapability and any custom capabilities that contain the ViewAccessDebugPage\nSPRight should be unassigned from all identities and workgroups.</span></p>\n\n</div>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}], "providerMetadata": {"orgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719", "shortName": "SailPoint", "dateUpdated": "2026-04-15T18:13:53.171Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4857", "state": "PUBLISHED", "dateUpdated": "2026-04-16T03:55:39.481Z", "dateReserved": "2026-03-25T15:51:35.248Z", "assignerOrgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719", "datePublished": "2026-04-15T18:08:45.737Z", "assignerShortName": "SailPoint"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "IdentityIQ 8.5, all\nIdentityIQ 8.5 patch levels prior to 8.5p2, IdentityIQ 8.4, and all IdentityIQ\n8.4 patch levels prior to 8.4p4 allow authenticated users assigned the Debug\nPages Read Only capability or any custom capability with the ViewAccessDebugPage\nSPRight to incorrectly create new IdentityIQ objects.\u00a0 Until a remediating security fix or patches\ncontaining this security fix are installed, the Debug Pages Read Only\ncapability and any custom capabilities that contain the ViewAccessDebugPage\nSPRight should be unassigned from all identities and workgroups."}], "id": "CVE-2026-4857", "lastModified": "2026-04-17T15:08:01.337", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 6.0, "source": "psirt@sailpoint.com", "type": "Secondary"}]}, "published": "2026-04-15T19:16:37.730", "references": [{"source": "psirt@sailpoint.com", "url": "https://www.sailpoint.com/security-advisories/sailpoint-identityiq-debug-ui-incorrect-authorization-vulnerability-cve-2026-4857"}], "sourceIdentifier": "psirt@sailpoint.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "psirt@sailpoint.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[8.5,8.5p2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[8.4,8.4p4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "IdentityIQ", "source": "cna", "vendor": "SailPoint Technologies"}, "product": "identityiq", "vendor": "sailpoint_technologies"}], "analysis": {"en": {"generated_at": "2026-04-16T02:29:40.251086+00:00", "value": {"mitigation_remediation": ["Remove the Debug Pages Read Only capability and any custom capabilities that include the ViewAccessDebugPage SPRight from all users and workgroups as an immediate countermeasure.", "Conduct a thorough review of access control assignments to ensure no user retains debug\u2011related capabilities, and document any changes for audit purposes.", "Monitor the SailPoint security advisories or vendor website for an official patch or correct fix, and plan to apply it once released to fully eliminate the authorization flaw."], "summary": {"action": "Assess Impact", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "SailPoint Technologies IdentityIQ versions 8.5 before patch level 8.5p2 and 8.4 before patch level 8.4p4 are impacted. Users of these releases with the specified capabilities are susceptible; no other versions are mentioned.", "description_and_impact": "IdentityIQ 8.5 and 8.4 allow authenticated users who possess the Debug Pages Read Only capability or any custom capability containing the ViewAccessDebugPage SPRight to create new IdentityIQ objects without proper checks. This flaw, classified as CWE-863, can permit users to introduce or modify objects that may alter system configuration or grant additional permissions, thereby elevating privileges and compromising the integrity of the data and the confidentiality of the configuration. The issue does not expose information directly but enables a misuse of the system's object creation functionality.", "risk_and_exploitability": "A CVSS score of 8.4 signals a high severity vulnerability and the lack of an EPSS value indicates that current exploitation probability is not quantified. The vulnerability appears to be exploitable only by authenticated internal users who have been granted the relevant debug-related capabilities. No public exploitation has been reported and the vulnerability is not listed in the CISA KEV catalog. Until a vendor\u2011issued security fix is available, the primary risk lies in privilege escalation for any identity that retains those debug capabilities, manipulating object creation control."}}}}, "created": "2026-04-16T02:30:21.690602+00:00", "updated": "2026-04-16T09:12:35.246138+00:00", "vendors": ["sailpoint_technologies", "sailpoint_technologies$PRODUCT$identityiq"]}