CVE-2026-5712

High

Published: 29 April 2026

Published

29 April 2026

Modified

05 May 2026

KEV Added

—

Patch

—

CVSS Score 8.0 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

EPSS Score 0.0004 11.5th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-5712 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Sailpoint Identityiq. Its CVSS base score is 8.0 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 11.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for access to system resources like role definitions, directly preventing authenticated users lacking role editing capabilities from making unauthorized modifications.

AC-6 Least Privilege good match

prevent

Implements least privilege to ensure only users with explicitly assigned role editing capabilities can perform such actions, blocking exploitation by low-privilege requestors or assignees of work items.

AC-24 Access Control Decisions good match

prevent

Requires processes and mechanisms to authorize and enforce access decisions for specific resources such as role definitions, addressing the incorrect authorization check in work item handling.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1098 Account Manipulation Persistence

Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.

attack.mitre.org →

Why these techniques?

Vulnerability enables unauthorized role definition editing in identity management system, directly facilitating privilege escalation via access control changes (T1068) and account/identity manipulation (T1098).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

This vulnerability impacts all versions of IdentityIQ and allows an authenticated identity that is the requestor or assignee of a work item to edit the definition of a role without having an assigned capability that would allow role editing.

Deeper analysisAI

CVE-2026-5712 is an incorrect authorization vulnerability (CWE-863) affecting all versions of SailPoint IdentityIQ. Published on 2026-04-29, it enables an authenticated identity serving as the requestor or assignee of a work item to edit the definition of a role without possessing the required capability for role editing. The vulnerability carries a CVSS v3.1 base score of 8.0 (AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H), indicating high severity due to its potential for significant impact across confidentiality, integrity, and availability.

Exploitation requires an authenticated attacker with low privileges (PR:L) who is positioned as the requestor or assignee of a specific work item. The attack is feasible over the network (AV:N) but demands high complexity (AC:H) and user interaction (UI:R), with scope expansion (S:C) upon success. This allows unauthorized editing of role definitions, potentially enabling privilege escalation, manipulation of access controls, or disruption of identity management processes.

Mitigation guidance is available in the official SailPoint security advisory at https://www.sailpoint.com/security-advisories/sailpoint-identityiq-role-editor-incorrect-authorization-vulnerability-cve-2026-5712.