CVE-2026-41522

Source
https://cve.org/CVERecord?id=CVE-2026-41522
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-41522.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-41522
Aliases
  • GHSA-3mxh-x92q-9r25
Published
2026-06-04T19:31:53.483Z
Modified
2026-07-15T01:49:01.959003868Z
Severity
  • 7.1 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Iris has an Improper Authorization issue
Details

Iris is a web collaborative platform that helps incident responders share technical details during investigations. Prior to version 2.4.28, DFIR-IRIS exposes an optional GraphQL endpoint at /graphql that does not enforce the same authorization checks as the REST API. Any authenticated user can abuse it in three ways: unauthorized IOC read across cases (IDOR), bulk IOC disclosure via case.iocs. The case(caseId: …).iocs resolver returns IOCs linked to an arbitrary case without verifying the caller has access to that case, and unauthorized case creation. All three are reachable by any authenticated user, regardless of role or case ACL. This is fixed in v2.4.28. The GraphQL blueprint, resolvers, and dependencies (graphene, graphene-sqlalchemy, graphql-server[flask]) were removed entirely, since the feature was not in use. As a workaround, block /graphql at the reverse proxy (recommended) or comment out the graphql_blueprint import and register_blueprint call in source/app/views.py and restart.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41522.json",
    "cwe_ids": [
        "CWE-285"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/dfir-iris/iris-web

Affected ranges

Type
GIT
Repo
https://github.com/dfir-iris/iris-web
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.4.28"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

v1.*
v1.3.1
v1.4.2
v2.*
v2.0.0
v2.0.1
v2.0.2
v2.1.0
v2.1.0-beta-1
v2.1.0-beta-2
v2.2.0
v2.2.1
v2.2.2
v2.2.3
v2.3.0
v2.3.1
v2.3.2
v2.3.3
v2.4.0
v2.4.10
v2.4.12
v2.4.13
v2.4.16
v2.4.18
v2.4.20
v2.4.21
v2.4.22
v2.4.23
v2.4.24
v2.4.25
v2.4.26
v2.4.27
v2.4.6

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-41522.json"