Home / Vulnerability Intelligence / CVE-2026-4857

CVE-2026-4857 - Vulnerability Analysis

HighCVSS: 8.4

Last Updated: April 15, 2026

IdentityIQ - Broken Access Control

Published: April 15, 2026Updated: April 15, 2026Remote Exploitable

Overview

IdentityIQ 8.5 and 8.4 versions prior to 8.5p2 and 8.4p4 contain a broken access control vulnerability caused by improper capability assignment, letting authenticated users with Debug Pages Read Only or custom capabilities create new objects incorrectly, exploit requires assigned specific capabilities.

Severity & Score

Severity: High

CVSS Score: 8.4

Impact

Authenticated users with specific capabilities can create unauthorized objects, potentially compromising system integrity.

Mitigation

Unassign Debug Pages Read Only and custom capabilities with ViewAccessDebugPage SPRight until patches 8.5p2 or 8.4p4 are applied.

References

https://www.sailpoint.com/security-advisories/sailpoint-identityiq-debug-ui-incorrect-authorization-vulnerability-cve-2026-4857

Related Resources

Details

CVE ID: CVE-2026-4857
Severity: High
CVSS Score: 8.4
Type: broken_access_control
Status: new

CWE

CWE-863

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H