CVE-2026-41522
Description
DFIR-IRIS web platform versions prior to 2.4.28 allow authenticated users to bypass authorization checks via the GraphQL endpoint, leading to unauthorized data access and case creation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
DFIR-IRIS web platform versions prior to 2.4.28 allow authenticated users to bypass authorization checks via the GraphQL endpoint, leading to unauthorized data access and case creation.
Vulnerability
Iris is a web collaborative platform that exposes an optional GraphQL endpoint at /graphql which, prior to version 2.4.28, does not enforce the same authorization checks as the REST API. This allows any authenticated user to abuse the endpoint in three ways: unauthorized IOC read across cases (IDOR), bulk IOC disclosure via case.iocs, and unauthorized case creation. All three vulnerabilities are reachable by any authenticated user, regardless of role or case ACL [1].
Exploitation
An attacker needs to be an authenticated user within the Iris platform. They can then send requests to the /graphql endpoint. Specifically, they can use the ioc(iocId: ...) query to read any IOC by iterating through IDs, the case(caseId: ...).iocs resolver to retrieve IOCs from arbitrary cases, or the caseCreate mutation to create cases without proper permission checks [1].
Impact
Successful exploitation allows an authenticated attacker to read sensitive Indicator of Compromise (IOC) data across all cases, even those they do not have access to. They can also create new cases without authorization. This represents a significant breach of confidentiality and integrity for the incident response data stored within the platform [1].
Mitigation
This vulnerability is fixed in version 2.4.28. As a workaround, it is recommended to block the /graphql endpoint at the reverse proxy. Alternatively, users can comment out the graphql_blueprint import and register_blueprint call in source/app/views.py and restart the application [1].
AI Insight generated on Jun 4, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The optional GraphQL endpoint does not enforce the same authorization checks as the REST API."
Attack vector
An authenticated user can exploit the GraphQL endpoint at `/graphql` to bypass authorization checks present in the REST API. This allows for unauthorized reading of IOCs across cases by iterating through IDs, bulk IOC disclosure via the `case.iocs` resolver, and unauthorized case creation by bypassing standard user permissions. All these actions are possible regardless of the user's role or case access control lists [ref_id=1].
Affected code
The vulnerability resides in the optional GraphQL endpoint exposed at `/graphql`. Specifically, the `ioc(iocId: …)` query and the `case(caseId: …).iocs` resolver do not properly check for case access. Additionally, the `caseCreate` mutation bypasses standard user permission checks [ref_id=1].
What the fix does
The vulnerability was fixed by removing the GraphQL endpoint entirely, including its blueprint, resolvers, and dependencies. This approach was taken because the feature was not actively in use. As a workaround, users can block access to `/graphql` at their reverse proxy or comment out the relevant blueprint import and registration in `source/app/views.py` [ref_id=1].
Preconditions
- authThe attacker must be an authenticated user.
Generated on Jun 4, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.