← back
CVE-2026-4857

SailPoint IdentityIQ Debug UI Incorrect Authorization

CVSS 8.4 HIGHEPSS 0.3%CWE-863
Vexday Risk Score
21Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 8.4EPSS 0.3%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
15 Apr 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
IdentityIQ 8.5, all IdentityIQ 8.5 patch levels prior to 8.5p2, IdentityIQ 8.4, and all IdentityIQ 8.4 patch levels prior to 8.4p4 allow authenticated users assigned the Debug Pages Read Only capability or any custom capability with the ViewAccessDebugPage SPRight to incorrectly create new IdentityIQ objects.  Until a remediating security fix or patches containing this security fix are installed, the Debug Pages Read Only capability and any custom capabilities that contain the ViewAccessDebugPage SPRight should be unassigned from all identities and workgroups.
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H