CVE-2026-41522 in iris-web
Summary
by MITRE • 06/04/2026
Iris is a web collaborative platform that helps incident responders share technical details during investigations. Prior to version 2.4.28, DFIR-IRIS exposes an optional GraphQL endpoint at `/graphql` that does not enforce the same authorization checks as the REST API. Any authenticated user can abuse it in three ways: unauthorized IOC read across cases (IDOR), bulk IOC disclosure via `case.iocs`. The `case(caseId: …).iocs` resolver returns IOCs linked to an arbitrary case without verifying the caller has access to that case, and unauthorized case creation. All three are reachable by any authenticated user, regardless of role or case ACL. This is fixed in v2.4.28. The GraphQL blueprint, resolvers, and dependencies (`graphene`, `graphene-sqlalchemy`, `graphql-server[flask]`) were removed entirely, since the feature was not in use. As a workaround, block `/graphql` at the reverse proxy (recommended) or comment out the `graphql_blueprint` import and `register_blueprint` call in `source/app/views.py` and restart.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 06/05/2026
The DFIR-IRIS platform presents a critical authorization vulnerability through its optional GraphQL endpoint that existed prior to version 2.4.28. This vulnerability stems from inadequate access control implementation within the GraphQL interface, creating a significant security gap that allows authenticated users to bypass normal permission boundaries. The GraphQL endpoint at /graphql operates independently from the REST API's authorization framework, creating a vector for privilege escalation and data exposure. This flaw represents a direct violation of the principle of least privilege and demonstrates poor security architecture where multiple access control mechanisms fail to synchronize properly.
The technical implementation of this vulnerability manifests through three distinct attack vectors that collectively undermine the platform's security model. The first vector involves insecure direct object reference (IDOR) through the case.iocs resolver, which allows any authenticated user to retrieve indicators of compromise from arbitrary cases without proper authorization verification. This resolver fails to implement case access control checks, enabling unauthorized data enumeration across multiple investigation cases. The second vector enables bulk data disclosure through the case.iocs query, where attackers can extract multiple IOCs simultaneously rather than through individual requests. The third vector allows unauthorized case creation, permitting malicious actors to generate new cases within the system without proper authorization. These vulnerabilities collectively represent a complete breakdown in access control enforcement and demonstrate the absence of proper input validation and authorization checks.
The operational impact of this vulnerability extends beyond simple data exposure to encompass potential compromise of ongoing investigations and sensitive forensic data. An attacker with minimal privileges can enumerate IOCs from cases they should not have access to, potentially exposing evidence of compromise across multiple investigations. This capability undermines the integrity of incident response processes and could lead to information leakage that affects the confidentiality of sensitive security data. The bulk disclosure capability amplifies the impact by allowing rapid extraction of large volumes of data, potentially exposing multiple cases simultaneously. The unauthorized case creation capability provides attackers with additional vectors for data manipulation and could be used to create false evidence or disrupt legitimate investigation workflows. These impacts align with attack patterns described in the attack tree methodology and represent significant risks to organizational security posture.
The vulnerability directly corresponds to CWE-285 (Improper Authorization) and CWE-284 (Improper Access Control) categories, with additional alignment to CWE-352 (Cross-Site Request Forgery) due to the unauthorized data access patterns. From the MITRE ATT&CK framework perspective, this vulnerability maps to T1078 (Valid Accounts) and T1566 (Phishing) as attackers could leverage authenticated access to escalate privileges and access sensitive data. The remediation approach taken by the developers involved complete removal of the GraphQL functionality, which addresses the root cause by eliminating the insecure code path entirely. This approach aligns with the principle of defense in depth, where removing unused functionality reduces the attack surface. The recommended workarounds provide temporary mitigation through network-level blocking at reverse proxy or code-level disabling, both of which are standard practices for addressing vulnerable components in production environments.
The security implications of this vulnerability extend to compliance requirements and organizational security policies. Organizations using DFIR-IRIS must consider the potential impact of unauthorized data access on regulatory compliance, particularly in environments where data protection regulations require strict access controls. The vulnerability demonstrates the importance of comprehensive security testing across all application interfaces, including optional features that may not be actively used. The removal of the GraphQL blueprint, resolvers, and related dependencies represents a complete architectural fix that eliminates the vulnerability at its source. This approach contrasts with partial fixes that might address symptoms rather than root causes, and provides a more robust solution that prevents similar issues from reoccurring in the future. The incident highlights the need for continuous security assessment of all application components, regardless of their perceived usage frequency.