CVE-2026-5712
Role Definition Editing in IdentityIQ
Publication date: 2026-04-29
Last updated on: 2026-05-05
Assigner: SailPoint Technologies
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sailpoint | identityiq | 8.3 |
| sailpoint | identityiq | 8.3 |
| sailpoint | identityiq | 8.4 |
| sailpoint | identityiq | 8.3 |
| sailpoint | identityiq | 8.3 |
| sailpoint | identityiq | 8.4 |
| sailpoint | identityiq | to 8.3 (exc) |
| sailpoint | identityiq | 8.4 |
| sailpoint | identityiq | 8.5 |
| sailpoint | identityiq | 8.5 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-5712 is an Incorrect Authorization Vulnerability in SailPoint IdentityIQ Role Editor. It allows an authenticated user who is either the requestor or assignee of a work item to edit the definition of a role without having the necessary capability or permission to do so.
This means that users can modify role definitions even if they are not authorized to perform role editing, potentially bypassing security controls.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized modifications of role definitions within the IdentityIQ system.
- Users without proper role editing capabilities can change roles, potentially granting excessive or inappropriate access.
- Such unauthorized changes can compromise the security of the system by allowing privilege escalation or access to sensitive resources.
- The vulnerability has a high severity score (CVSS 8.0), indicating significant risk to confidentiality, integrity, and availability.
Can you explain this vulnerability to me?
This vulnerability affects all versions of IdentityIQ and allows an authenticated user who is either the requestor or assignee of a work item to edit the definition of a role. This can be done without having the necessary assigned capability that normally permits role editing.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized modification of role definitions by users who should not have such permissions. This can result in privilege escalation, unauthorized access, and potentially compromise the confidentiality, integrity, and availability of systems and data.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthorized editing of role definitions by authenticated users without the required capabilities, which can lead to unauthorized access and privilege escalation.
Such unauthorized role modifications can undermine access controls and segregation of duties, potentially resulting in non-compliance with common standards and regulations like GDPR and HIPAA that require strict access management and protection of sensitive data.
What immediate steps should I take to mitigate this vulnerability?
To mitigate CVE-2026-5712, you should apply the patches released by SailPoint that address this incorrect authorization vulnerability.
- Install patch IIQSR-972 for your specific IdentityIQ version.
- Ensure your IdentityIQ version is updated to at least 8.5p2, 8.4p4, or 8.3p5, depending on your current version.
These patches fix the issue allowing authenticated users who are requestors or assignees of a work item to edit role definitions without proper authorization.
What immediate steps should I take to mitigate this vulnerability?
To mitigate CVE-2026-5712, you should apply the patches released by SailPoint that address this incorrect authorization vulnerability.
- Install patch IIQSR-972 for your specific version of IdentityIQ.
- Ensure your IdentityIQ version is updated to at least 8.5p2, 8.4p4, or 8.3p5 depending on your current version.
These patches fix the issue that allows authenticated users who are requestors or assignees of a work item to edit role definitions without the required capability.