Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
8 vulnerabilities by SailPoint Technologies
CVE-2026-5712 (GCVE-0-2026-5712)
Vulnerability from nvd – Published: 2026-04-29 17:18 – Updated: 2026-04-30 03:56
VLAI
Title
IdentityIQ Role Editor Incorrect Authorization Vulnerability
Summary
This vulnerability impacts all versions of IdentityIQ and allows an authenticated identity that is the requestor or assignee of a work item to edit the definition of a role without having an assigned capability that would allow role editing.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| SailPoint Technologies | IdentityIQ |
Affected:
8.5 , < 8.5p2
(custom)
Affected: 8.4 , < 8.4p4 (custom) Affected: 8.3 , < 8.3p5 (custom) |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5712",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-29T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-30T03:56:06.567Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "IdentityIQ",
"vendor": "SailPoint Technologies",
"versions": [
{
"lessThan": "8.5p2",
"status": "affected",
"version": "8.5",
"versionType": "custom"
},
{
"lessThan": "8.4p4",
"status": "affected",
"version": "8.4",
"versionType": "custom"
},
{
"lessThan": "8.3p5",
"status": "affected",
"version": "8.3",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "wildwildwes"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\n\n\u003cp\u003e\u003cspan\u003e\nThis vulnerability impacts all versions of IdentityIQ and allows an authenticated identity that is the requestor or assignee of a work item to edit the definition of a role without having an assigned capability that would allow role editing.\n\n\u003c/span\u003e\u003c/p\u003e\n\n\u003c/div\u003e\n\n\n\n\n\n\u003cbr\u003e"
}
],
"value": "This vulnerability impacts all versions of IdentityIQ and allows an authenticated identity that is the requestor or assignee of a work item to edit the definition of a role without having an assigned capability that would allow role editing."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-29T17:18:27.748Z",
"orgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"shortName": "SailPoint"
},
"references": [
{
"url": "https://www.sailpoint.com/security-advisories/sailpoint-identityiq-role-editor-incorrect-authorization-vulnerability-cve-2026-5712"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IdentityIQ Role Editor Incorrect Authorization Vulnerability",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"assignerShortName": "SailPoint",
"cveId": "CVE-2026-5712",
"datePublished": "2026-04-29T17:18:27.748Z",
"dateReserved": "2026-04-06T17:12:18.180Z",
"dateUpdated": "2026-04-30T03:56:06.567Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4857 (GCVE-0-2026-4857)
Vulnerability from nvd – Published: 2026-04-15 18:08 – Updated: 2026-04-16 03:55
VLAI
Title
SailPoint IdentityIQ Debug UI Incorrect Authorization
Summary
IdentityIQ 8.5, all
IdentityIQ 8.5 patch levels prior to 8.5p2, IdentityIQ 8.4, and all IdentityIQ
8.4 patch levels prior to 8.4p4 allow authenticated users assigned the Debug
Pages Read Only capability or any custom capability with the ViewAccessDebugPage
SPRight to incorrectly create new IdentityIQ objects. Until a remediating security fix or patches
containing this security fix are installed, the Debug Pages Read Only
capability and any custom capabilities that contain the ViewAccessDebugPage
SPRight should be unassigned from all identities and workgroups.
Severity
8.4 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| SailPoint Technologies | IdentityIQ |
Affected:
8.5 , < 8.5p2
(custom)
Affected: 8.4 , < 8.4p4 (custom) |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4857",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-15T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-16T03:55:39.481Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "IdentityIQ",
"vendor": "SailPoint Technologies",
"versions": [
{
"lessThan": "8.5p2",
"status": "affected",
"version": "8.5",
"versionType": "custom"
},
{
"lessThan": "8.4p4",
"status": "affected",
"version": "8.4",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "wildwildwes"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\n\n\u003cp\u003e\u003cspan\u003eIdentityIQ 8.5, all\nIdentityIQ 8.5 patch levels prior to 8.5p2, IdentityIQ 8.4, and all IdentityIQ\n8.4 patch levels prior to 8.4p4 allow authenticated users assigned the Debug\nPages Read Only capability or any custom capability with the ViewAccessDebugPage\nSPRight to incorrectly create new IdentityIQ objects.\u003cspan\u003e\u0026nbsp; \u003c/span\u003eUntil a remediating security fix or patches\ncontaining this security fix are installed, the Debug Pages Read Only\ncapability and any custom capabilities that contain the ViewAccessDebugPage\nSPRight should be unassigned from all identities and workgroups.\u003c/span\u003e\u003c/p\u003e\n\n\u003c/div\u003e"
}
],
"value": "IdentityIQ 8.5, all\nIdentityIQ 8.5 patch levels prior to 8.5p2, IdentityIQ 8.4, and all IdentityIQ\n8.4 patch levels prior to 8.4p4 allow authenticated users assigned the Debug\nPages Read Only capability or any custom capability with the ViewAccessDebugPage\nSPRight to incorrectly create new IdentityIQ objects.\u00a0 Until a remediating security fix or patches\ncontaining this security fix are installed, the Debug Pages Read Only\ncapability and any custom capabilities that contain the ViewAccessDebugPage\nSPRight should be unassigned from all identities and workgroups."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-15T18:13:53.171Z",
"orgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"shortName": "SailPoint"
},
"references": [
{
"url": "https://www.sailpoint.com/security-advisories/sailpoint-identityiq-debug-ui-incorrect-authorization-vulnerability-cve-2026-4857"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "SailPoint IdentityIQ Debug UI Incorrect Authorization",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"assignerShortName": "SailPoint",
"cveId": "CVE-2026-4857",
"datePublished": "2026-04-15T18:08:45.737Z",
"dateReserved": "2026-03-25T15:51:35.248Z",
"dateUpdated": "2026-04-16T03:55:39.481Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-10280 (GCVE-0-2025-10280)
Vulnerability from nvd – Published: 2025-11-03 16:35 – Updated: 2026-02-26 17:47
VLAI
Title
Incorrect Content Type Cross-Site Scripting Vulnerability
Summary
IdentityIQ
8.5, IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p4, IdentityIQ 8.3 and
all 8.3 patch levels including 8.3p5, and all prior versions allows some
IdentityIQ web services that provide non-HTML content to be accessed via a URL
path that will set the Content-Type to HTML allowing a requesting browser to
interpret content not properly escaped to prevent Cross-Site Scripting (XSS).
Severity
7.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| SailPoint Technologies | IdentityIQ |
Affected:
8.5
(semver)
Affected: 8.4 , < 8.4p4 (semver) Affected: 8.3 , ≤ 8.3p5 (semver) |
Date Public
2025-11-03 16:35
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-10280",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-04T04:55:16.675765Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T17:47:39.634Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "IdentityIQ",
"vendor": "SailPoint Technologies",
"versions": [
{
"status": "affected",
"version": "8.5",
"versionType": "semver"
},
{
"lessThan": "8.4p4",
"status": "affected",
"version": "8.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.3p5",
"status": "affected",
"version": "8.3",
"versionType": "semver"
}
]
}
],
"datePublic": "2025-11-03T16:35:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIdentityIQ\n8.5, IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p4, IdentityIQ 8.3 and\nall 8.3 patch levels including 8.3p5, and all prior versions allows some\nIdentityIQ web services that provide non-HTML content to be accessed via a URL\npath that will set the Content-Type to HTML allowing a requesting browser to\ninterpret content not properly escaped to prevent Cross-Site Scripting (XSS). \u003c/p\u003e"
}
],
"value": "IdentityIQ\n8.5, IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p4, IdentityIQ 8.3 and\nall 8.3 patch levels including 8.3p5, and all prior versions allows some\nIdentityIQ web services that provide non-HTML content to be accessed via a URL\npath that will set the Content-Type to HTML allowing a requesting browser to\ninterpret content not properly escaped to prevent Cross-Site Scripting (XSS)."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-06T20:45:31.741Z",
"orgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"shortName": "SailPoint"
},
"references": [
{
"url": "https://www.sailpoint.com/security-advisories/sailpoint-identityiq-incorrect-content-type-cross-site-scripting-vulnerability-cve-2025-10280"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Incorrect Content Type Cross-Site Scripting Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"assignerShortName": "SailPoint",
"cveId": "CVE-2025-10280",
"datePublished": "2025-11-03T16:35:56.241Z",
"dateReserved": "2025-09-11T16:02:56.954Z",
"dateUpdated": "2026-02-26T17:47:39.634Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-10905 (GCVE-0-2024-10905)
Vulnerability from nvd – Published: 2024-12-02 14:49 – Updated: 2025-01-06 17:42
VLAI
Title
IdentityIQ Improper Access Control VulnerabilityIdentityIQ Improper Access Control Vulnerability
Summary
IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p2, IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p5, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p8, and all prior versions allow HTTP/HTTPS access to static content in the IdentityIQ application directory that should be protected.
Severity
10 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-66 - Improper Handling of File Names that Identify Virtual Resources
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| SailPoint Technologies | IdentityIQ |
Affected:
8.2 , < 8.2p8
(semver)
Affected: 8.3 , < 8.3p5 (semver) Affected: 8.4 , < 8.4p2 (semver) |
|
| sailpoint | identityiq |
Affected:
8.2 , < 8.2p8
(semver)
Affected: 8.3 , < 8.3p5 (semver) Affected: 8.4 , < 8.4p2 (semver) cpe:2.3:a:sailpoint:identityiq:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:sailpoint:identityiq:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "identityiq",
"vendor": "sailpoint",
"versions": [
{
"lessThan": "8.2p8",
"status": "affected",
"version": "8.2",
"versionType": "semver"
},
{
"lessThan": "8.3p5",
"status": "affected",
"version": "8.3",
"versionType": "semver"
},
{
"lessThan": "8.4p2",
"status": "affected",
"version": "8.4",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-10905",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-03T04:55:24.996838Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-06T17:42:22.215Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "IdentityIQ",
"vendor": "SailPoint Technologies",
"versions": [
{
"lessThan": "8.2p8",
"status": "affected",
"version": "8.2",
"versionType": "semver"
},
{
"lessThan": "8.3p5",
"status": "affected",
"version": "8.3",
"versionType": "semver"
},
{
"lessThan": "8.4p2",
"status": "affected",
"version": "8.4",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p2, IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p5, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p8, and all prior versions\u0026nbsp;\u003cspan style=\"background-color: var(--wht);\"\u003eallow HTTP/HTTPS access to\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003estatic content in the IdentityIQ application directory that should be protected.\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003e\u003cbr\u003e\u003c/span\u003e\n\n\n\u003cbr\u003e"
}
],
"value": "IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p2, IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p5, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p8, and all prior versions\u00a0allow HTTP/HTTPS access to\u00a0static content in the IdentityIQ application directory that should be protected."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-66",
"description": "CWE-66: Improper Handling of File Names that Identify Virtual Resources",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-06T17:57:12.682Z",
"orgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"shortName": "SailPoint"
},
"references": [
{
"url": "https://www.sailpoint.com/security-advisories/identityiq-improper-access-control-vulnerability-cve-2024-10905"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://community.sailpoint.com/t5/IdentityIQ-Blog/IdentityIQ-Improper-Access-Control-Vulnerability/ba-p/261409\"\u003ehttps://community.sailpoint.com/t5/IdentityIQ-Blog/IdentityIQ-Improper-Access-Control-Vulnerability/...\u003c/a\u003e"
}
],
"value": "https://community.sailpoint.com/t5/IdentityIQ-Blog/IdentityIQ-Improper-Access-Control-Vulnerability/... https://community.sailpoint.com/t5/IdentityIQ-Blog/IdentityIQ-Improper-Access-Control-Vulnerability/ba-p/261409"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IdentityIQ Improper Access Control VulnerabilityIdentityIQ Improper Access Control Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"assignerShortName": "SailPoint",
"cveId": "CVE-2024-10905",
"datePublished": "2024-12-02T14:49:51.199Z",
"dateReserved": "2024-11-05T20:21:47.258Z",
"dateUpdated": "2025-01-06T17:42:22.215Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-5712 (GCVE-0-2026-5712)
Vulnerability from cvelistv5 – Published: 2026-04-29 17:18 – Updated: 2026-04-30 03:56
VLAI
Title
IdentityIQ Role Editor Incorrect Authorization Vulnerability
Summary
This vulnerability impacts all versions of IdentityIQ and allows an authenticated identity that is the requestor or assignee of a work item to edit the definition of a role without having an assigned capability that would allow role editing.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| SailPoint Technologies | IdentityIQ |
Affected:
8.5 , < 8.5p2
(custom)
Affected: 8.4 , < 8.4p4 (custom) Affected: 8.3 , < 8.3p5 (custom) |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5712",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-29T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-30T03:56:06.567Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "IdentityIQ",
"vendor": "SailPoint Technologies",
"versions": [
{
"lessThan": "8.5p2",
"status": "affected",
"version": "8.5",
"versionType": "custom"
},
{
"lessThan": "8.4p4",
"status": "affected",
"version": "8.4",
"versionType": "custom"
},
{
"lessThan": "8.3p5",
"status": "affected",
"version": "8.3",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "wildwildwes"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\n\n\u003cp\u003e\u003cspan\u003e\nThis vulnerability impacts all versions of IdentityIQ and allows an authenticated identity that is the requestor or assignee of a work item to edit the definition of a role without having an assigned capability that would allow role editing.\n\n\u003c/span\u003e\u003c/p\u003e\n\n\u003c/div\u003e\n\n\n\n\n\n\u003cbr\u003e"
}
],
"value": "This vulnerability impacts all versions of IdentityIQ and allows an authenticated identity that is the requestor or assignee of a work item to edit the definition of a role without having an assigned capability that would allow role editing."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-29T17:18:27.748Z",
"orgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"shortName": "SailPoint"
},
"references": [
{
"url": "https://www.sailpoint.com/security-advisories/sailpoint-identityiq-role-editor-incorrect-authorization-vulnerability-cve-2026-5712"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IdentityIQ Role Editor Incorrect Authorization Vulnerability",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"assignerShortName": "SailPoint",
"cveId": "CVE-2026-5712",
"datePublished": "2026-04-29T17:18:27.748Z",
"dateReserved": "2026-04-06T17:12:18.180Z",
"dateUpdated": "2026-04-30T03:56:06.567Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4857 (GCVE-0-2026-4857)
Vulnerability from cvelistv5 – Published: 2026-04-15 18:08 – Updated: 2026-04-16 03:55
VLAI
Title
SailPoint IdentityIQ Debug UI Incorrect Authorization
Summary
IdentityIQ 8.5, all
IdentityIQ 8.5 patch levels prior to 8.5p2, IdentityIQ 8.4, and all IdentityIQ
8.4 patch levels prior to 8.4p4 allow authenticated users assigned the Debug
Pages Read Only capability or any custom capability with the ViewAccessDebugPage
SPRight to incorrectly create new IdentityIQ objects. Until a remediating security fix or patches
containing this security fix are installed, the Debug Pages Read Only
capability and any custom capabilities that contain the ViewAccessDebugPage
SPRight should be unassigned from all identities and workgroups.
Severity
8.4 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| SailPoint Technologies | IdentityIQ |
Affected:
8.5 , < 8.5p2
(custom)
Affected: 8.4 , < 8.4p4 (custom) |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4857",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-15T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-16T03:55:39.481Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "IdentityIQ",
"vendor": "SailPoint Technologies",
"versions": [
{
"lessThan": "8.5p2",
"status": "affected",
"version": "8.5",
"versionType": "custom"
},
{
"lessThan": "8.4p4",
"status": "affected",
"version": "8.4",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "wildwildwes"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\n\n\u003cp\u003e\u003cspan\u003eIdentityIQ 8.5, all\nIdentityIQ 8.5 patch levels prior to 8.5p2, IdentityIQ 8.4, and all IdentityIQ\n8.4 patch levels prior to 8.4p4 allow authenticated users assigned the Debug\nPages Read Only capability or any custom capability with the ViewAccessDebugPage\nSPRight to incorrectly create new IdentityIQ objects.\u003cspan\u003e\u0026nbsp; \u003c/span\u003eUntil a remediating security fix or patches\ncontaining this security fix are installed, the Debug Pages Read Only\ncapability and any custom capabilities that contain the ViewAccessDebugPage\nSPRight should be unassigned from all identities and workgroups.\u003c/span\u003e\u003c/p\u003e\n\n\u003c/div\u003e"
}
],
"value": "IdentityIQ 8.5, all\nIdentityIQ 8.5 patch levels prior to 8.5p2, IdentityIQ 8.4, and all IdentityIQ\n8.4 patch levels prior to 8.4p4 allow authenticated users assigned the Debug\nPages Read Only capability or any custom capability with the ViewAccessDebugPage\nSPRight to incorrectly create new IdentityIQ objects.\u00a0 Until a remediating security fix or patches\ncontaining this security fix are installed, the Debug Pages Read Only\ncapability and any custom capabilities that contain the ViewAccessDebugPage\nSPRight should be unassigned from all identities and workgroups."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-15T18:13:53.171Z",
"orgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"shortName": "SailPoint"
},
"references": [
{
"url": "https://www.sailpoint.com/security-advisories/sailpoint-identityiq-debug-ui-incorrect-authorization-vulnerability-cve-2026-4857"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "SailPoint IdentityIQ Debug UI Incorrect Authorization",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"assignerShortName": "SailPoint",
"cveId": "CVE-2026-4857",
"datePublished": "2026-04-15T18:08:45.737Z",
"dateReserved": "2026-03-25T15:51:35.248Z",
"dateUpdated": "2026-04-16T03:55:39.481Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-10280 (GCVE-0-2025-10280)
Vulnerability from cvelistv5 – Published: 2025-11-03 16:35 – Updated: 2026-02-26 17:47
VLAI
Title
Incorrect Content Type Cross-Site Scripting Vulnerability
Summary
IdentityIQ
8.5, IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p4, IdentityIQ 8.3 and
all 8.3 patch levels including 8.3p5, and all prior versions allows some
IdentityIQ web services that provide non-HTML content to be accessed via a URL
path that will set the Content-Type to HTML allowing a requesting browser to
interpret content not properly escaped to prevent Cross-Site Scripting (XSS).
Severity
7.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| SailPoint Technologies | IdentityIQ |
Affected:
8.5
(semver)
Affected: 8.4 , < 8.4p4 (semver) Affected: 8.3 , ≤ 8.3p5 (semver) |
Date Public
2025-11-03 16:35
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-10280",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-04T04:55:16.675765Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T17:47:39.634Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "IdentityIQ",
"vendor": "SailPoint Technologies",
"versions": [
{
"status": "affected",
"version": "8.5",
"versionType": "semver"
},
{
"lessThan": "8.4p4",
"status": "affected",
"version": "8.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.3p5",
"status": "affected",
"version": "8.3",
"versionType": "semver"
}
]
}
],
"datePublic": "2025-11-03T16:35:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIdentityIQ\n8.5, IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p4, IdentityIQ 8.3 and\nall 8.3 patch levels including 8.3p5, and all prior versions allows some\nIdentityIQ web services that provide non-HTML content to be accessed via a URL\npath that will set the Content-Type to HTML allowing a requesting browser to\ninterpret content not properly escaped to prevent Cross-Site Scripting (XSS). \u003c/p\u003e"
}
],
"value": "IdentityIQ\n8.5, IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p4, IdentityIQ 8.3 and\nall 8.3 patch levels including 8.3p5, and all prior versions allows some\nIdentityIQ web services that provide non-HTML content to be accessed via a URL\npath that will set the Content-Type to HTML allowing a requesting browser to\ninterpret content not properly escaped to prevent Cross-Site Scripting (XSS)."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-06T20:45:31.741Z",
"orgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"shortName": "SailPoint"
},
"references": [
{
"url": "https://www.sailpoint.com/security-advisories/sailpoint-identityiq-incorrect-content-type-cross-site-scripting-vulnerability-cve-2025-10280"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Incorrect Content Type Cross-Site Scripting Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"assignerShortName": "SailPoint",
"cveId": "CVE-2025-10280",
"datePublished": "2025-11-03T16:35:56.241Z",
"dateReserved": "2025-09-11T16:02:56.954Z",
"dateUpdated": "2026-02-26T17:47:39.634Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-10905 (GCVE-0-2024-10905)
Vulnerability from cvelistv5 – Published: 2024-12-02 14:49 – Updated: 2025-01-06 17:42
VLAI
Title
IdentityIQ Improper Access Control VulnerabilityIdentityIQ Improper Access Control Vulnerability
Summary
IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p2, IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p5, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p8, and all prior versions allow HTTP/HTTPS access to static content in the IdentityIQ application directory that should be protected.
Severity
10 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-66 - Improper Handling of File Names that Identify Virtual Resources
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| SailPoint Technologies | IdentityIQ |
Affected:
8.2 , < 8.2p8
(semver)
Affected: 8.3 , < 8.3p5 (semver) Affected: 8.4 , < 8.4p2 (semver) |
|
| sailpoint | identityiq |
Affected:
8.2 , < 8.2p8
(semver)
Affected: 8.3 , < 8.3p5 (semver) Affected: 8.4 , < 8.4p2 (semver) cpe:2.3:a:sailpoint:identityiq:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:sailpoint:identityiq:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "identityiq",
"vendor": "sailpoint",
"versions": [
{
"lessThan": "8.2p8",
"status": "affected",
"version": "8.2",
"versionType": "semver"
},
{
"lessThan": "8.3p5",
"status": "affected",
"version": "8.3",
"versionType": "semver"
},
{
"lessThan": "8.4p2",
"status": "affected",
"version": "8.4",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-10905",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-03T04:55:24.996838Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-06T17:42:22.215Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "IdentityIQ",
"vendor": "SailPoint Technologies",
"versions": [
{
"lessThan": "8.2p8",
"status": "affected",
"version": "8.2",
"versionType": "semver"
},
{
"lessThan": "8.3p5",
"status": "affected",
"version": "8.3",
"versionType": "semver"
},
{
"lessThan": "8.4p2",
"status": "affected",
"version": "8.4",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p2, IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p5, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p8, and all prior versions\u0026nbsp;\u003cspan style=\"background-color: var(--wht);\"\u003eallow HTTP/HTTPS access to\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003estatic content in the IdentityIQ application directory that should be protected.\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003e\u003cbr\u003e\u003c/span\u003e\n\n\n\u003cbr\u003e"
}
],
"value": "IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p2, IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p5, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p8, and all prior versions\u00a0allow HTTP/HTTPS access to\u00a0static content in the IdentityIQ application directory that should be protected."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-66",
"description": "CWE-66: Improper Handling of File Names that Identify Virtual Resources",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-06T17:57:12.682Z",
"orgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"shortName": "SailPoint"
},
"references": [
{
"url": "https://www.sailpoint.com/security-advisories/identityiq-improper-access-control-vulnerability-cve-2024-10905"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://community.sailpoint.com/t5/IdentityIQ-Blog/IdentityIQ-Improper-Access-Control-Vulnerability/ba-p/261409\"\u003ehttps://community.sailpoint.com/t5/IdentityIQ-Blog/IdentityIQ-Improper-Access-Control-Vulnerability/...\u003c/a\u003e"
}
],
"value": "https://community.sailpoint.com/t5/IdentityIQ-Blog/IdentityIQ-Improper-Access-Control-Vulnerability/... https://community.sailpoint.com/t5/IdentityIQ-Blog/IdentityIQ-Improper-Access-Control-Vulnerability/ba-p/261409"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IdentityIQ Improper Access Control VulnerabilityIdentityIQ Improper Access Control Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"assignerShortName": "SailPoint",
"cveId": "CVE-2024-10905",
"datePublished": "2024-12-02T14:49:51.199Z",
"dateReserved": "2024-11-05T20:21:47.258Z",
"dateUpdated": "2025-01-06T17:42:22.215Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}