VYPR
← All advisories
Medium severity4.7NVD Advisory· Published Jun 4, 2026· Updated Jun 4, 2026

CVE-2026-42329

CVE-2026-42329

Description

Iris web platform versions prior to 2.4.28 are vulnerable to open redirect, enabling phishing attacks by sending users to malicious sites.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Iris web platform versions prior to 2.4.28 are vulnerable to open redirect, enabling phishing attacks by sending users to malicious sites.

Vulnerability

The Iris web collaborative platform, versions prior to 2.4.28, contains an open redirect vulnerability. This weakness allows an attacker to manipulate redirect targets due to insufficient input validation, specifically when the next parameter is used on the login page [1].

Exploitation

An attacker can craft a link pointing to a legitimate Iris deployment, but with a malicious URL appended via the next parameter (e.g., /login?next=attacker.com). The user must be tricked into clicking this link, which will then present the standard authentication page before redirecting them to the attacker-controlled site [1].

Impact

Successful exploitation can lead to phishing attacks. A user, believing they are interacting with a trusted Iris instance, can be redirected to a malicious website controlled by the attacker, potentially leading to credential theft or other forms of compromise [1].

Mitigation

Versions of Iris up to and including 2.4.27 are affected. The issue is fixed in version 2.4.28 [1].

References
  1. Open Redirect

AI Insight generated on Jun 4, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Dfir Iris/Iris Webinferred2 versions
    <2.4.28+ 1 more
    • (no CPE)range: <2.4.28
    • (no CPE)range: <2.4.28

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The web application fails to validate the target of a redirect, allowing an attacker to specify an arbitrary domain."

Attack vector

An attacker can craft a malicious link that points to the Iris login page with a `next` parameter set to a domain controlled by the attacker. When a user clicks this link, they are presented with a seemingly legitimate Iris login page, but upon successful authentication or interaction, they are redirected to the attacker's specified website [ref_id=1]. This technique can be used to facilitate phishing attacks by luring users to fake login pages or other malicious content [ref_id=1].

Affected code

The vulnerability is related to how the Iris web application handles redirect parameters, specifically the `next` parameter on the login page. Insufficient validation of this parameter allows it to be set to an external domain, leading to an open redirect vulnerability [ref_id=1].

What the fix does

The advisory indicates that version 2.4.28 fixes this issue by implementing proper input validation for redirect targets. While the specific code changes are not detailed in the provided information, the fix likely involves ensuring that the `next` parameter only redirects to trusted internal paths and not external domains [ref_id=1]. This prevents the application from redirecting users to attacker-controlled websites.

Preconditions

  • inputThe attacker must be able to control the `next` parameter in the URL.
  • networkThe attacker must be able to send a crafted link to the victim.
  • authThe vulnerability is triggered when a user interacts with the login page, potentially after authentication.

Reproduction

If a user can be made to open a link to the login page with an added parameter like /login?next=attacker.com, the standard authentication page is shown to the user: GET /login?next=attacker.com HTTP/1.1 Host: myiris.local User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: none Sec-Fetch-User: ?1 Priority: u=0, i Te: trailers Connection: keep-alive HTTP/1.1 200 OK Server: nginx Date: Mon, 26 Jan 2026 13:56:59 GMT Content-Type: text/html; charset=utf-8 Content-Length: 4932 Connection: keep-alive Vary: Cookie Content-Security-Policy: default-src 'self' https://analytics.dfir-iris.org; script-src 'self' 'unsafe-inline' https://analytics.dfir-iris.org; style-src 'self' 'unsafe-inline'; img-src 'self' data:; X-XSS-Protection: 1; mode=block X-Frame-Options: DENY X-Content-Type-Options: nosniff Strict-Transport-Security: [ref_id=1]

Generated on Jun 4, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.