CVE-2026-41522
Iris has an Improper Authorization issue
Iris is a web collaborative platform that helps incident responders share technical details during investigations. Prior to version 2.4.28, DFIR-IRIS exposes an optional GraphQL endpoint at `/graphql` that does not enforce the same authorization checks as the REST API. Any authenticated user can abuse it in three ways: unauthorized IOC read across cases (IDOR), bulk IOC disclosure via `case.iocs`. The `case(caseId: โฆ).iocs` resolver returns IOCs linked to an arbitrary case without verifying the caller has access to that case, and unauthorized case creation. All three are reachable by any authenticated user, regardless of role or case ACL. This is fixed in v2.4.28. The GraphQL blueprint, resolvers, and dependencies (`graphene`, `graphene-sqlalchemy`, `graphql-server[flask]`) were removed entirely, since the feature was not in use. As a workaround, block `/graphql` at the reverse proxy (recommended) or comment out the `graphql_blueprint` import and `register_blueprint` call in `source/app/views.py` and restart.
| CWE | CWE-285 |
| Vendor | dfir-iris |
| Product | iris-web |
| Published | Jun 4, 2026 |
| Last Updated | Jun 8, 2026 |
Get instant alerts for dfir-iris iris-web
Be the first to know when new unknown vulnerabilities affecting dfir-iris iris-web are published โ delivered to Slack, Telegram or Discord.