Description
IRIS is a web collaborative platform that helps incident responders share technical details during investigations. Versions prior to 2.4.28 allow a user to alter values in the database via manipulated API requests. Version 2.4.28 contains a patch.
Published: 2026-06-04
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

IRIS is a collaborative platform for incident responders, and in versions before 2.4.28 the application allows a mass assignment vulnerability. By submitting crafted API requests an attacker can change database fields that are normally protected, enabling the alteration of investigation data. This vulnerability falls under CWE‑915 and could compromise the integrity of shared information, potentially allowing a user to inject false evidence or mislead other responders. The impact is limited to data manipulation and does not provide remote code execution or data exfiltration.

Affected Systems

All deployments of IRIS Web running a version earlier than 2.4.28 are affected. The vulnerable product is the IRIS Web component of the DFIR‑IRIS suite. Users should check the version reported in the application metadata and upgrade before the patch is applied.

Risk and Exploitability

The CVSS score for this issue is 4.3, indicating moderate severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. Attackers would need to send manipulated API requests, likely while authenticated, to exploit the flaw. The lack of high exploitation probability suggests this vulnerability is less likely to be actively used in the wild but remains an actionable data integrity concern.

Generated by OpenCVE AI on June 4, 2026 at 22:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade IRIS Web to version 2.4.28 or newer
  • Configure the application to whitelist model attributes and prevent mass assignment of sensitive fields
  • Review and tighten API endpoint permissions to limit which users can modify critical data
  • Monitor system logs for abnormal changes to investigation records

Generated by OpenCVE AI on June 4, 2026 at 22:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
First Time appeared Dfir-iris
Dfir-iris iris
Vendors & Products Dfir-iris
Dfir-iris iris

Thu, 04 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Description IRIS is a web collaborative platform that helps incident responders share technical details during investigations. Versions prior to 2.4.28 allow a user to alter values in the database via manipulated API requests. Version 2.4.28 contains a patch.
Title IRIS has a Mass Assignment issue
Weaknesses CWE-915
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Dfir-iris Iris
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-04T20:57:52.211Z

Reserved: 2026-04-28T16:56:50.190Z

Link: CVE-2026-42540

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-04T22:16:53.550

Modified: 2026-06-04T22:16:53.550

Link: CVE-2026-42540

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T07:30:30Z

Weaknesses