IdentityIQ Authenticated Users Can Create New Objects via Debug Pages
A vulnerability in IdentityIQ 8.5 and 8.4 allows authenticated users with the Debug Pages Read Only capability or custom capabilities containing the ViewAccessDebugPage SPRight to create new IdentityIQ objects.
CVE-2026-4857 affects IdentityIQ versions 8.5 and 8.4, specifically all 8.5 patch levels prior to 8.5p2 and all 8.4 patch levels prior to 8.4p4. This vulnerability allows authenticated users who have been assigned the Debug Pages Read Only capability, or any custom capability that includes the ViewAccessDebugPage SPRight, to incorrectly create new IdentityIQ objects. The vulnerability stems from insufficient access control on debug pages, which can be abused to bypass intended restrictions and instantiate new objects within the application. Defenders should remove the vulnerable capabilities from user roles until a patch is applied.
Attack Chain
- An attacker authenticates to IdentityIQ with a user account.
- The user account has been assigned the "Debug Pages Read Only" capability, or a custom capability including "ViewAccessDebugPage SPRight".
- The attacker accesses a debug page within IdentityIQ.
- The attacker leverages the debug page's functionality to craft a request to create a new IdentityIQ object. This could involve manipulating parameters or exploiting unintended functionality of the debug page.
- IdentityIQ processes the attacker's request without proper authorization checks due to the insufficient access controls on the debug pages.
- A new IdentityIQ object is created based on the attacker's specifications.
- The attacker can now potentially manipulate the newly created object.
Impact
Successful exploitation of CVE-2026-4857 allows authenticated users with limited privileges to create new IdentityIQ objects. This could lead to privilege escalation, data manipulation, or denial-of-service depending on the type of object created and the attacker's subsequent actions. Given the high CVSS score of 8.4, organizations using vulnerable IdentityIQ versions are at significant risk. The impact is especially severe if attackers can create administrative or privileged objects.
Recommendation
- Immediately unassign the "Debug Pages Read Only" capability and any custom capabilities containing the "ViewAccessDebugPage SPRight" from all identities and workgroups as outlined in the vulnerability description.
- Upgrade to IdentityIQ 8.5p2 or 8.4p4, or apply the remediating security fix provided by the vendor to address CVE-2026-4857.
- Monitor web server logs for access to debug pages by users with the "Debug Pages Read Only" capability to detect potential exploitation attempts, as demonstrated in the provided Sigma rule.
Detection coverage 2
Detect Access to Debug Pages with Debug Pages Read Only Capability
mediumDetects access to debug pages in IdentityIQ by users who have the 'Debug Pages Read Only' capability which could be an indicator of CVE-2026-4857 exploitation attempts.
Detect Creation of New IdentityIQ Objects via Web Request
highThis rule detects unusual HTTP requests that create new objects within the IdentityIQ application which could be a sign of exploiting CVE-2026-4857.
Detection queries are available on the platform. Get full rules →