Cyber Resilience

CVE-2026-5712

High

Published: 29 April 2026

Published
29 April 2026
Modified
05 May 2026
KEV Added
Patch
CVSS Score v3.1 8.0 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0016 5.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-5712 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Sailpoint Identityiq. Its CVSS base score is 8.0 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 5.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-5712 is an incorrect authorization vulnerability (CWE-863) affecting all versions of SailPoint IdentityIQ. Published on 2026-04-29, it enables an authenticated identity serving as the requestor or assignee of a work item to edit the definition of a role without possessing the required capability for role editing. The vulnerability carries a CVSS v3.1 base score of 8.0 (AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H), indicating high severity due to its potential for significant impact across confidentiality, integrity, and availability.

Exploitation requires an authenticated attacker with low privileges (PR:L) who is positioned as the requestor or assignee of a specific work item. The attack is feasible over the network (AV:N) but demands high complexity (AC:H) and user interaction (UI:R), with scope expansion (S:C) upon success. This allows unauthorized editing of role definitions, potentially enabling privilege escalation, manipulation of access controls, or disruption of identity management processes.

Mitigation guidance is available in the official SailPoint security advisory at https://www.sailpoint.com/security-advisories/sailpoint-identityiq-role-editor-incorrect-authorization-vulnerability-cve-2026-5712.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

This vulnerability impacts all versions of IdentityIQ and allows an authenticated identity that is the requestor or assignee of a work item to edit the definition of a role without having an assigned capability that would allow role editing.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1098 Account Manipulation Persistence
Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.
Why these techniques?

Vulnerability enables unauthorized role definition editing in identity management system, directly facilitating privilege escalation via access control changes (T1068) and account/identity manipulation (T1098).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-42843Shared CWE-863
CVE-2020-36920Shared CWE-863
CVE-2024-41140Shared CWE-863
CVE-2025-41078Shared CWE-863
CVE-2025-64421Shared CWE-863
CVE-2026-41404Shared CWE-863
CVE-2024-44305Shared CWE-863
CVE-2026-4639Shared CWE-863
CVE-2026-41344Shared CWE-863
CVE-2025-27822Shared CWE-863

Affected Assets

sailpoint
identityiq
8.3, 8.4, 8.5 · ≤ 8.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for access to system resources like role definitions, directly preventing authenticated users lacking role editing capabilities from making unauthorized modifications.

prevent

Implements least privilege to ensure only users with explicitly assigned role editing capabilities can perform such actions, blocking exploitation by low-privilege requestors or assignees of work items.

prevent

Requires processes and mechanisms to authorize and enforce access decisions for specific resources such as role definitions, addressing the incorrect authorization check in work item handling.

References