CVE-2026-42539
Description
IRIS is a web collaborative platform that helps incident responders share technical details during investigations. Versions prior to 2.4.28 return sensitive data to the user which are not required for the client’s operation. Version 2.4.28 contains a patch.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The API returns more fields than necessary when accessing certain objects."
Attack vector
An attacker with low privileges can access certain API endpoints. When an administrator updates user information, the API response includes sensitive data that is not required for the client's operation. This sensitive data includes password hashes, Multi-Factor Authentication (MFA) secrets, and local server storage paths [ref_id=1]. This excessive data exposure could exacerbate the impact of other vulnerabilities, such as access control issues [ref_id=2].
Affected code
The vulnerability lies within the API's handling of requests for certain objects, where it returns more fields than are strictly necessary for the client's operation. Specifically, when an administrator updates user account information, sensitive data is included in the API response [ref_id=1].
What the fix does
Version 2.4.28 contains a patch that addresses the excessive data exposure. The patch modifies the API to ensure that only necessary fields are returned in the response when accessing certain objects. This prevents sensitive information such as password hashes, MFA secrets, and local storage paths from being unnecessarily disclosed to the client [ref_id=1].
Preconditions
- authAttacker must have low privileges.
Generated on Jun 4, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.