CVE-2026-4857
Published: 15 April 2026
Summary
CVE-2026-4857 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Sailpoint (inferred from references). Its CVSS base score is 8.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 10.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and correction of the specific authorization flaw via vendor-recommended patches for IdentityIQ 8.5p2 or 8.4p4.
Enforces least privilege by restricting assignment of Debug Pages Read Only capability or ViewAccessDebugPage SPRight to only essential users, preventing unauthorized object creation.
Facilitates management and unassignment of excessive privileges like Debug Pages Read Only from accounts and workgroups as an interim measure until patching.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Incorrect authorization in Debug UI allows read-only users to create objects, directly enabling privilege escalation within the application.
NVD Description
IdentityIQ 8.5, all IdentityIQ 8.5 patch levels prior to 8.5p2, IdentityIQ 8.4, and all IdentityIQ 8.4 patch levels prior to 8.4p4 allow authenticated users assigned the Debug Pages Read Only capability or any custom capability with the ViewAccessDebugPage SPRight to…
more
incorrectly create new IdentityIQ objects. Until a remediating security fix or patches containing this security fix are installed, the Debug Pages Read Only capability and any custom capabilities that contain the ViewAccessDebugPage SPRight should be unassigned from all identities and workgroups.
Deeper analysisAI
CVE-2026-4857 is an incorrect authorization vulnerability (CWE-863) in SailPoint IdentityIQ versions 8.5 and all patch levels prior to 8.5p2, as well as IdentityIQ 8.4 and all patch levels prior to 8.4p4. It affects the Debug UI, where authenticated users assigned the Debug Pages Read Only capability or any custom capability including the ViewAccessDebugPage SPRight can improperly create new IdentityIQ objects, bypassing intended access controls. The vulnerability has a CVSS v3.1 base score of 8.4 (AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H), indicating high severity with network accessibility, low attack complexity, required high privileges and user interaction, changed scope, and high impacts across confidentiality, integrity, and availability.
An attacker with authenticated access and the specified Debug Pages Read Only capability (or equivalent custom capability) can exploit this issue remotely via the network. Exploitation requires the user to interact with a malicious debug page, enabling the creation of unauthorized IdentityIQ objects. Successful exploitation could lead to high-impact outcomes, including unauthorized data access, modification, or disruption, as reflected in the CVSS metrics.
The SailPoint security advisory recommends installing the remediating security fixes in IdentityIQ 8.5p2 or 8.4p4. As an interim measure until patches are applied, organizations should unassign the Debug Pages Read Only capability and any custom capabilities containing the ViewAccessDebugPage SPRight from all identities and workgroups. Further details are available at https://www.sailpoint.com/security-advisories/sailpoint-identityiq-debug-ui-incorrect-authorization-vulnerability-cve-2026-4857.
Details
- CWE(s)