Executive Summary

CVE-2026-4857 is an incorrect authorization vulnerability in SailPoint IdentityIQ Debug UI affecting versions 8.5 (prior to patch 8.5p2) and 8.4 (prior to patch 8.4p4). Authenticated users who have been assigned the "Debug Pages Read Only" capability or any custom capability containing the "ViewAccessDebugPage" SPRight can improperly create new IdentityIQ objects, which they should not be authorized to do.

This vulnerability is classified under CWE-863 (Incorrect Authorization) and has a high severity CVSS v3.1 score of 8.4, indicating it can be exploited remotely with low complexity but requires high privileges and user interaction.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows authenticated users with certain capabilities to create new IdentityIQ objects without proper authorization, which can lead to unauthorized changes within the system.

• High impact on confidentiality, as unauthorized users may access or manipulate sensitive identity data.
• High impact on integrity, since unauthorized creation of objects can compromise the accuracy and trustworthiness of identity information.
• High impact on availability, potentially disrupting normal operations by unauthorized modifications.

The vulnerability also involves a scope change, meaning the impact extends beyond the initially authorized privileges.

Useful 0 Not Useful 0

Mitigation Strategies

Until a remediating security fix or patches containing this security fix are installed, the immediate mitigation step is to unassign the "Debug Pages Read Only" capability and any custom capabilities that contain the "ViewAccessDebugPage" SPRight from all identities and workgroups.

SailPoint has released security fix IIQTC-776 for all impacted and supported versions, and future patch levels will include these fixes.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows authenticated users with certain capabilities to improperly create new IdentityIQ objects, leading to incorrect authorization and a high impact on confidentiality, integrity, and availability.

Such unauthorized actions could potentially lead to violations of compliance requirements under standards like GDPR and HIPAA, which mandate strict controls over access to sensitive data and system integrity.

Until patches are applied, the risk of unauthorized data manipulation or exposure may compromise compliance with these regulations.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves improper authorization allowing certain authenticated users to create new IdentityIQ objects when they have the "Debug Pages Read Only" capability or any custom capability containing the "ViewAccessDebugPage" SPRight.

To detect if your system is vulnerable, you should check which users or workgroups have been assigned the "Debug Pages Read Only" capability or any custom capabilities containing the "ViewAccessDebugPage" SPRight.

Since the vulnerability is related to IdentityIQ capabilities and permissions, detection involves auditing user and workgroup assignments within the IdentityIQ administrative interface or via IdentityIQ APIs or database queries.

No specific commands are provided in the available resources to detect this vulnerability on your network or system.

As a mitigation step until patches are applied, unassign the "Debug Pages Read Only" capability and any custom capabilities containing the "ViewAccessDebugPage" SPRight from all identities and workgroups.

Useful 0 Not Useful 0