Description
Iris is a web collaborative platform that helps incident responders share technical details during investigations. Prior to version 2.4.28, DFIR-IRIS exposes an optional GraphQL endpoint at `/graphql` that does not enforce the same authorization checks as the REST API. Any authenticated user can abuse it in three ways: unauthorized IOC read across cases (IDOR), bulk IOC disclosure via `case.iocs`. The `case(caseId: …).iocs` resolver returns IOCs linked to an arbitrary case without verifying the caller has access to that case, and unauthorized case creation. All three are reachable by any authenticated user, regardless of role or case ACL. This is fixed in v2.4.28. The GraphQL blueprint, resolvers, and dependencies (`graphene`, `graphene-sqlalchemy`, `graphql-server[flask]`) were removed entirely, since the feature was not in use. As a workaround, block `/graphql` at the reverse proxy (recommended) or comment out the `graphql_blueprint` import and `register_blueprint` call in `source/app/views.py` and restart.
Published: 2026-06-04
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

DFIR-IRIS Web exposes a GraphQL endpoint that performs no authorization checks. An authenticated user can therefore leak IOCs from any case, discover large numbers of IOCs through the case.iocs resolver, and create new cases that should not be allowed. This represents a direct confidentiality breach and an integrity violation, as attackers can read sensitive information and create bogus cases, potentially disrupting investigations. The weakness is a classic Improper Authorization defect (CWE‑285).

Affected Systems

The vulnerability affects the DFIR‑IRIS web platform, versions earlier than 2.4.28. Users of v2.4.28 and later are not impacted, as the GraphQL feature has been removed entirely. The system runs on the standard IRIS‑Web stack, exposing /graphql to authenticated users without additional checks.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity flaw, but the EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog, implying no known active exploits at this time. Attackers only need valid credentials to reach the endpoint; thus the attack vector is authenticated session in the web interface. The flaw can be exploited without privilege escalation, making it a low‑barrier threat for any user with access to the platform. The most straightforward remediation is to block or remove the endpoint at the reverse proxy or to install the patched version.

Generated by OpenCVE AI on June 4, 2026 at 21:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade DFIR‑IRIS to version 2.4.28 or later, which removes the vulnerable GraphQL endpoint entirely.
  • As a temporary measure, block access to /graphql on the reverse proxy with an allow/deny rule before applying the patch.
  • If the patch cannot be applied immediately, comment out the graphql_blueprint import and register_blueprint call in source/app/views.py, then restart the application to eliminate the endpoint.

Generated by OpenCVE AI on June 4, 2026 at 21:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Description Iris is a web collaborative platform that helps incident responders share technical details during investigations. Prior to version 2.4.28, DFIR-IRIS exposes an optional GraphQL endpoint at `/graphql` that does not enforce the same authorization checks as the REST API. Any authenticated user can abuse it in three ways: unauthorized IOC read across cases (IDOR), bulk IOC disclosure via `case.iocs`. The `case(caseId: …).iocs` resolver returns IOCs linked to an arbitrary case without verifying the caller has access to that case, and unauthorized case creation. All three are reachable by any authenticated user, regardless of role or case ACL. This is fixed in v2.4.28. The GraphQL blueprint, resolvers, and dependencies (`graphene`, `graphene-sqlalchemy`, `graphql-server[flask]`) were removed entirely, since the feature was not in use. As a workaround, block `/graphql` at the reverse proxy (recommended) or comment out the `graphql_blueprint` import and `register_blueprint` call in `source/app/views.py` and restart.
Title Iris has an Improper Authorization issue
Weaknesses CWE-285
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-04T19:31:53.483Z

Reserved: 2026-04-20T18:18:50.682Z

Link: CVE-2026-41522

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-04T20:16:58.140

Modified: 2026-06-04T20:16:58.140

Link: CVE-2026-41522

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T21:30:23Z

Weaknesses