IdentityIQ 8.5/8.4 Vulnerable to Auth Object Creation via Debug Pages
CVE-2026-4857 Published on April 15, 2026
SailPoint IdentityIQ Debug UI Incorrect Authorization
IdentityIQ 8.5, all
IdentityIQ 8.5 patch levels prior to 8.5p2, IdentityIQ 8.4, and all IdentityIQ
8.4 patch levels prior to 8.4p4 allow authenticated users assigned the Debug
Pages Read Only capability or any custom capability with the ViewAccessDebugPage
SPRight to incorrectly create new IdentityIQ objects. Until a remediating security fix or patches
containing this security fix are installed, the Debug Pages Read Only
capability and any custom capabilities that contain the ViewAccessDebugPage
SPRight should be unassigned from all identities and workgroups.
Vulnerability Analysis
CVE-2026-4857 can be exploited with network access, requires user interaction and user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Type
What is an AuthZ Vulnerability?
The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.
CVE-2026-4857 has been classified to as an AuthZ vulnerability or weakness.
Products Associated with CVE-2026-4857
Want to know whenever a new CVE is published for Sailpoint Identityiq? stack.watch will email you.
Affected Versions
SailPoint Technologies IdentityIQ:- Version 8.5 and below 8.5p2 is affected.
- Version 8.4 and below 8.4p4 is affected.