IdentityIQ Flaw Allows Unauthorized Object Creation
The National Vulnerability Database (NVD) has flagged a significant vulnerability, CVE-2026-4857, impacting SailPoint’s IdentityIQ. Specifically, IdentityIQ 8.5 patch levels prior to 8.5p2, and all IdentityIQ 8.4 patch levels prior to 8.4p4, are susceptible. This flaw, rated with a high CVSS score of 8.4, allows authenticated users with either the ‘Debug Pages Read Only’ capability or any custom capability containing the ViewAccessDebugPage SPRight to incorrectly create new IdentityIQ objects.
This isn’t just a minor misconfiguration; it’s a critical authorization bypass (CWE-863) that could lead to unauthorized system manipulation. Until a security fix is deployed, the NVD recommends immediate action: revoke the ‘Debug Pages Read Only’ capability and any custom capabilities containing the ViewAccessDebugPage SPRight from all identities and workgroups. This is a temporary measure, but a necessary one to plug a gaping hole in access control.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 auto-generated detection rules for this incident, mapped to MITRE ATT&CK. Available in Sigma, Splunk SPL, Sentinel KQL, Elastic Lucene, QRadar AQL, and Wazuh.
USB Device Connection Monitoring
Want this in your SIEM's native format? Get Splunk SPL, Sentinel KQL, Elastic, QRadar AQL, or Wazuh — ready to paste.
2 Sigma rules mapped to the ATT&CK techniques from this breach — pick your SIEM and get a ready-to-paste query.
Get All SIEM Formats →Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-4857 | Privilege Escalation | SailPoint IdentityIQ 8.5 prior to 8.5p2 |
| CVE-2026-4857 | Privilege Escalation | SailPoint IdentityIQ 8.4 prior to 8.4p4 |
| CVE-2026-4857 | Auth Bypass | Authenticated users with 'Debug Pages Read Only' capability or custom capability with 'ViewAccessDebugPage' SPRight |
| CVE-2026-4857 | Misconfiguration | Incorrect creation of new IdentityIQ objects via Debug Pages Read Only capability or ViewAccessDebugPage SPRight |
Related Posts
Composer Command Injection: Malicious Repositories are a New Vector
CVE-2026-40261 — Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::syncCodeBase()...
CVE-2026-40186 — Non-Default Configurations Where Option Or Textarea Are Incl Cross-Site Scripting (XSS)
CVE-2026-40186 — ApostropheCMS is an open-source Node.js content management system. A regression introduced in commit 49d0bb7, included in versions 2.17.1 of the ApostropheCMS-maintained sanitize-html package...
Critical Dgraph Flaw Leaks Admin Tokens, Bypassing Authentication
CVE-2026-40173 — Dgraph is an open source distributed GraphQL database. Versions 25.3.1 and prior contain an unauthenticated credential disclosure vulnerability where the /debug/pprof/cmdline endpoint is...