Description
Iris is a web collaborative platform that helps incident responders share technical details during investigations. Prior to 2.4.24, the DFIR-IRIS datastore file management system has a vulnerability where mass assignment of the file_local_name field combined with path trust in the delete operation enables authenticated users to delete arbitrary filesystem paths. The vulnerability manifests through a three-step attack chain: authenticated users upload a file to the datastore, update the file's file_local_name field to point to an arbitrary filesystem path through mass assignment, then trigger the delete operation which removes the target file without path validation. This vulnerability is fixed in 2.4.24.
Published: 2026-01-12
Score: 9.6 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Deletion
Action: Immediate Patch
AI Analysis

Impact

The vulnerability in the DFIR-IRIS datastore file management system allows an authenticated user to delete any file on the server’s filesystem. By mass‑assigning the file_local_name field to an arbitrary path during a file update operation, the system’s delete routine performs the removal without performing path validation. This flaw can lead to denial of service for the affected application, loss of critical forensic artifacts, or the removal of system files if an attacker gains sufficient privileges. The weakness is rooted in improper input handling and insecure delete logic, corresponding to the identified CWEs for unsafe file deletion.

Affected Systems

DFIR-IRIS Iris‑Web versions prior to 2.4.24 are affected. The security advisory and update address the mass assignment issue in the file management subsystem. No specific sub‑components or third‑party libraries are listed beyond the main Iris‑Web application.

Risk and Exploitability

The CVSS score of 9.6 reflects a high‑severity impact; the EPSS score of < 1% indicates that exploitation is unlikely but not impossible. The vulnerability is not currently listed in CISA’s KEV catalog, suggesting no confirmed widespread exploitation. Inferred from the description, the attack requires authenticated access to the application; the attacker must first upload a file, then update its filename to a target path, and finally invoke the delete operation. Once these conditions are satisfied, the system will delete the specified path without additional checks.

Generated by OpenCVE AI on April 18, 2026 at 16:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official Iris‑Web 2.4.24 patch or later that corrects the mass assignment bug and enforces path validation during deletion
  • Enforce path validation by configuring OS file system controls (e.g., SELinux, AppArmor, chroot) to restrict delete operations to allowed directories
  • Review and restrict user permissions, ensuring only authorized roles can modify the file_local_name field or invoke delete operations

Generated by OpenCVE AI on April 18, 2026 at 16:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 16 Jan 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:dfir-iris:iris:*:*:*:*:*:*:*:*

Tue, 13 Jan 2026 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Dfir-iris
Dfir-iris iris
Vendors & Products Dfir-iris
Dfir-iris iris

Mon, 12 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 12 Jan 2026 18:30:00 +0000

Type Values Removed Values Added
Description Iris is a web collaborative platform that helps incident responders share technical details during investigations. Prior to 2.4.24, the DFIR-IRIS datastore file management system has a vulnerability where mass assignment of the file_local_name field combined with path trust in the delete operation enables authenticated users to delete arbitrary filesystem paths. The vulnerability manifests through a three-step attack chain: authenticated users upload a file to the datastore, update the file's file_local_name field to point to an arbitrary filesystem path through mass assignment, then trigger the delete operation which removes the target file without path validation. This vulnerability is fixed in 2.4.24.
Title Iris Allows Arbitrary File Deletion via Mass Assignment in Datastore File Management
Weaknesses CWE-434
CWE-73
CWE-915
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H'}

Subscriptions

Dfir-iris Iris
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-12T18:52:04.765Z

Reserved: 2026-01-09T18:27:19.388Z

Link: CVE-2026-22783

cve-icon Vulnrichment

Updated: 2026-01-12T18:51:57.989Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-12T19:16:03.953

Modified: 2026-01-16T18:42:18.303

Link: CVE-2026-22783

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T16:30:05Z

Weaknesses