SailPoint (NASDAQ: SAIL) reports limited GitHub access incident

Filing Impact

(Moderate)

Filing Sentiment

(Neutral)

Form Type

8-K

Rhea-AI Filing Summary

SailPoint, Inc. reported that on April 20, 2026 it detected unauthorized access to a subset of its GitHub repositories. Its incident response team quickly stopped the activity and resolved the issue, which stemmed from a vulnerability in a third-party application that has been fixed.

With support from an external cybersecurity firm, SailPoint found no evidence that customer data in its production or staging environments were accessed and no interruption of services. The company has directly notified affected customers with information in the accessed repositories and informed customers generally that no further action is required at this time.

8-K Event Classification

Item 7.01 — Regulation FD Disclosure

1 item

Item 7.01 Regulation FD Disclosure Disclosure

Material non-public information disclosed under Regulation Fair Disclosure, often investor presentations or guidance.

Key Terms

Regulation FD, unauthorized access, GitHub repositories, third-party application, +1 more

5 terms

Regulation FD regulatory

"Item 7.01 Regulation FD Disclosure."

Regulation FD is a rule that prevents company insiders, like executives, from sharing important information with some people before others get it. It matters because it helps ensure all investors have equal access to key news, making the stock market fairer and reducing chances of insider trading.

unauthorized access technical

"we detected unauthorized access to a subset of our GitHub repositories"

Entry into computer systems, networks, facilities, or data by people who do not have permission to be there—whether by hacking, stolen credentials, bypassing locks, or improper insider activity. For investors, unauthorized access matters because it can lead to stolen customer or financial data, operational shutdowns, regulatory fines, and damage to reputation—like someone breaking into a locked file cabinet and taking sensitive documents, which can reduce a company’s value and increase costs.

GitHub repositories technical

"unauthorized access to a subset of our GitHub repositories"

third-party application technical

"The root cause was a vulnerability in a third-party application"

emerging growth company regulatory

"Emerging growth company"

An emerging growth company is a recently public or smaller public firm that qualifies for temporary, lighter regulatory and disclosure rules to reduce the cost and effort of being public. For investors, it means the company may provide less historical financial detail and face fewer reporting requirements than larger firms, so it can grow more quickly but also carries higher uncertainty—like buying a promising early-stage product with fewer user reviews.

Understanding 8-K Material Events →

05/08/2026 - 05:20 PM

UNITED STATES

SECURITIES AND EXCHANGE COMMISSION

WASHINGTON, D.C. 20549

FORM 8-K

CURRENT REPORT

Pursuant to Section 13 or 15(d) of the Securities Exchange Act of 1934

Date of Report (Date of earliest event reported): May 8, 2026

SailPoint, Inc.

(Exact name of registrant as specified in its charter)

---------------------------------------------------------------------------------------


Delaware	001-42522	88-2001765
(State or other jurisdiction	(Commission File Number)	(IRS Employer
of incorporation)		Identification No.)

11120 Four Points Drive, Suite 100 78726

Austin, Texas (Zip Code)

(Address of principal executive offices)

Registrant’s telephone number, including area code: (512) 346-2000

Not Applicable

(Former name or former address, if changed since last report)

Check the appropriate box below if the Form 8-K filing is intended to simultaneously satisfy the filing obligation of the registrant under any of the following provisions:


☐			Written communications pursuant to Rule 425 under the Securities Act (17 CFR 230.425)
☐			Soliciting material pursuant to Rule 14a-12 under the Exchange Act (17 CFR 240.14a-12)
☐			Pre-commencement communications pursuant to Rule 14d-2(b) under the Exchange Act (17 CFR 240.14d-2(b))
☐			Pre-commencement communications pursuant to Rule 13e-4(c) under the Exchange Act (17 CFR 240.13e-4(c))

Securities registered pursuant to Section 12(b) of the Act:

Title of each class

Trading

Symbol(s)

Name of each exchange on which registered

Common stock, par value $0.0001 per share

SAIL

The Nasdaq Stock Market LLC

Indicate by check mark whether the registrant is an emerging growth company as defined in Rule 405 of the Securities Act of 1933

(§ 230.405 of this chapter) or Rule 12b-2 of the Securities Exchange Act of 1934 (§ 240.12b-2 of this chapter).

Emerging growth company ☐

If an emerging growth company, indicate by check mark if the registrant has elected not to use the extended transition period for complying with any new or revised financial accounting standards provided pursuant to Section 13(a) of the Exchange Act. ☐

Item 7.01 Regulation FD Disclosure.

On April 20, 2026, we detected unauthorized access to a subset of our GitHub repositories. Our incident response team quickly terminated the unauthorized activity and resolved the issue. The root cause was a vulnerability in a third-party application, which has been remediated.

Based on our investigation, supported by a third-party cybersecurity response firm, we found no evidence that customer data in our production or staging environments were accessed or that our services were interrupted. We have directly notified each customer that had any information in the accessed repositories and informed our customers generally that no additional actions are required at this time.

The information in this Item 7.01 is being furnished and shall not be deemed “filed” for purposes of Section 18 of the Securities Exchange Act of 1934, as amended (the “Exchange Act”) or otherwise subject to the liabilities of that section, nor shall it be deemed incorporated by reference into any filing under the Securities Act of 1933, as amended, or the Exchange Act, except as shall be expressly set forth by specific reference in such a filing.

SIGNATURES

Pursuant to the requirements of the Securities Exchange Act of 1934, the registrant has duly caused this report to be signed on its behalf by the undersigned hereunto duly authorized.

SAILPOINT, INC.

Date: May 8, 2026

By:

/s/ Chris Schmitt

Name:

Chris Schmitt

Title:

Executive Vice President, General Counsel, and Secretary

Source: View Original Filing on SEC EDGAR

FAQ

What cybersecurity incident did SailPoint (SAIL) disclose in this 8-K?

SailPoint disclosed that on April 20, 2026 it detected unauthorized access to a subset of its GitHub repositories. The company quickly stopped the activity, remediated the vulnerability, and investigated the scope of access with support from a third-party cybersecurity firm.

Was any SailPoint (SAIL) customer data accessed in the GitHub incident?

According to SailPoint, the investigation found no evidence that customer data in its production or staging environments were accessed. The company emphasized that the unauthorized activity was limited to certain GitHub repositories, and it engaged an external cybersecurity firm to support this assessment.

Did SailPoint’s services experience any disruption from the April 20, 2026 incident?

SailPoint stated there was no evidence that its services were interrupted by the unauthorized access incident detected on April 20, 2026. The event was confined to a subset of GitHub repositories, and the company reported its operations continued without service disruption.

How did SailPoint respond to the GitHub unauthorized access event?

SailPoint’s incident response team quickly terminated the unauthorized activity, resolved the issue, and remediated the underlying vulnerability in a third-party application. The company also retained a third-party cybersecurity response firm and notified customers whose information resided in the accessed repositories.

Did SailPoint require customers to take any action after the security incident?

SailPoint informed customers generally that no additional actions are required at this time in response to the incident. It also directly notified each customer that had any information in the accessed GitHub repositories, explaining the situation and its findings from the investigation.

How is the information in this SailPoint (SAIL) 8-K treated under the Exchange Act?

SailPoint specified that the information under Item 7.01 is being furnished, not filed, for purposes of Section 18 of the Exchange Act. It is not subject to Section 18 liabilities and is not incorporated by reference into other Securities Act or Exchange Act filings unless specifically referenced.

Filing Exhibits & Attachments

3 documents