QSearchQSearch

CVE-2026-41522

Iris is a web collaborative platform that helps incident responders share technical details during investigations

Published: 2026-06-04 · Last updated: 2026-06-05

Severity and scoring

CWE
CWE-285

Description

Iris is a web collaborative platform that helps incident responders share technical details during investigations. Prior to version 2.4.28, DFIR-IRIS exposes an optional GraphQL endpoint at `/graphql` that does not enforce the same authorization checks as the REST API. Any authenticated user can abuse it in three ways: unauthorized IOC read across cases (IDOR), bulk IOC disclosure via `case.iocs`. The `case(caseId: …).iocs` resolver returns IOCs linked to an arbitrary case without verifying the caller has access to that case, and unauthorized case creation. All three are reachable by any authenticated user, regardless of role or case ACL. This is fixed in v2.4.28. The GraphQL blueprint, resolvers, and dependencies (`graphene`, `graphene-sqlalchemy`, `graphql-server[flask]`) were removed entirely, since the feature was not in use. As a workaround, block `/graphql` at the reverse proxy (recommended) or comment out the `graphql_blueprint` import and `register_blueprint` call in `source/app/views.py` and restart.

Source: NVD

References

Related CVEs

Same CWE

  • CVE-2026-12213 A vulnerability was found in hcengineering Huly Platform up to 0.7.0 (4.3 MEDIUM)
  • CVE-2026-12204 A vulnerability was determined in ShopXO up to 6.7.1 (7.3 HIGH)
  • CVE-2026-12190 A vulnerability has been found in Genspark AI Workspace App 2.8.4 on Android (5.3 MEDIUM)
  • CVE-2026-12189 A flaw has been found in Moovit Bus & Public Transit App 1.18 on Android (5.3 MEDIUM)
  • CVE-2026-49397 Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool (5.3 MEDIUM)