Sailpoint

By the Year

In 2026 there have been 2 vulnerabilities in Sailpoint with an average score of 8.2 out of ten. Last year, in 2025 Sailpoint had 1 security vulnerability published. That is, 1 more vulnerability have already been reported in 2026 as compared to last year. However, the average CVE base score of the vulnerabilities in 2026 is greater by 1.10.

Recent Sailpoint Security Vulnerabilities

CVE	Date	Vulnerability	Products
CVE-2026-5712	Apr 29, 2026	IdentityIQ All Versions Role Edit Privilege Escalation This vulnerability impacts all versions of IdentityIQ and allows an authenticated identity that is the requestor or assignee of a work item to edit the definition of a role without having an assigned capability that would allow role editing.	Identityiq
CVE-2026-4857	Apr 15, 2026	IdentityIQ 8.5/8.4 Vulnerable to Auth Object Creation via Debug Pages IdentityIQ 8.5, all IdentityIQ 8.5 patch levels prior to 8.5p2, IdentityIQ 8.4, and all IdentityIQ 8.4 patch levels prior to 8.4p4 allow authenticated users assigned the Debug Pages Read Only capability or any custom capability with the ViewAccessDebugPage SPRight to incorrectly create new IdentityIQ objects.  Until a remediating security fix or patches containing this security fix are installed, the Debug Pages Read Only capability and any custom capabilities that contain the ViewAccessDebugPage SPRight should be unassigned from all identities and workgroups.	Identityiq
CVE-2025-10280	Nov 03, 2025	XSS via Content-Type in SailPoint IdentityIQ 8.4p1-8.4p3 IdentityIQ 8.5, IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p4, IdentityIQ 8.3 and all 8.3 patch levels including 8.3p5, and all prior versions allows some IdentityIQ web services that provide non-HTML content to be accessed via a URL path that will set the Content-Type to HTML allowing a requesting browser to interpret content not properly escaped to prevent Cross-Site Scripting (XSS).	Identityiq
CVE-2024-10905	Dec 02, 2024	SailPoint IdentityIQ: Unprotected Static Content Access Vulnerability IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p2, IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p5, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p8, and all prior versions allow HTTP/HTTPS access to static content in the IdentityIQ application directory that should be protected.	Identityiq
CVE-2024-1714	Feb 21, 2024	IdentityIQ Auth Bypass via Whitespace in Entitlement Value An issue exists in all supported versions of IdentityIQ Lifecycle Manager that can result if an entitlement with a value containing leading or trailing whitespace is requested by an authenticated user in an access request.	Identityiq
CVE-2023-32217	Jun 05, 2023	Auth User May Invoke Any Java Constructor in IdentityIQ 8.x (pre patches) IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p3, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p6, IdentityIQ 8.1 and all 8.1 patch levels prior to 8.1p7, IdentityIQ 8.0 and all 8.0 patch levels prior to 8.0p6 allow an authenticated user to invoke a Java constructor with no arguments or a Java constructor with a single Map argument in any Java class available in the IdentityIQ application classpath.	Identityiq
CVE-2022-46835	Jan 31, 2023	IdentityIQ <8.3p2/8.2p5/8.1p7/8.0p6 Path Traversal via JSF 2.2.20 IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p2, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p5, IdentityIQ 8.1 and all 8.1 patch levels prior to 8.1p7, IdentityIQ 8.0 and all 8.0 patch levels prior to 8.0p6 allow access to arbitrary files in the application server filesystem due to a path traversal vulnerability in JavaServer Faces (JSF) 2.2.20 documented in CVE-2020-6950.	Identityiq
CVE-2022-45435	Jan 31, 2023	IdentityIQ 8.3 Admin Can Modify Identity Forwarding (SetIDForward) Pre8.3p2 IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p2, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p5, IdentityIQ 8.1 and all 8.1 patch levels prior to 8.1p7, IdentityIQ 8.0 and all 8.0 patch levels prior to 8.0p6, and all prior versions allow authenticated users assigned the Identity Administrator capability or any custom capability that contains the SetIdentityForwarding right to modify the work item forwarding configuration for identities other than the ones that should be allowed by Lifecycle Manager Quicklink Population configuration.	Identityiq
CVE-2019-12889	Aug 20, 2019	An unauthenticated privilege escalation exists in SailPoint Desktop Password Reset 7.2 An unauthenticated privilege escalation exists in SailPoint Desktop Password Reset 7.2. A user with local access to only the Windows logon screen can escalate their privileges to NT AUTHORITY\System. An attacker would need local access to the machine for a successful exploit. The attacker must disconnect the computer from the local network / WAN and connect it to an internet facing access point / network. At that point, the attacker can execute the password-reset functionality, which will expose a web browser. Browsing to a site that calls local Windows system functions (e.g., file upload) will expose the local file system. From there an attacker can launch a privileged command shell.	Desktop Password Reset