CVE-2026-42540
Description
IRIS web platform versions prior to 2.4.28 allow authenticated users to manipulate database values via API requests, potentially altering account details and MFA secrets.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
IRIS web platform versions prior to 2.4.28 allow authenticated users to manipulate database values via API requests, potentially altering account details and MFA secrets.
Vulnerability
The IRIS web collaborative platform, versions prior to 2.4.28, is vulnerable to mass assignment. This vulnerability allows authenticated users to alter values in the database via manipulated API requests, specifically by setting additional parameters for write operations that are not exposed in the GUI [1].
Exploitation
An attacker with authenticated user access can exploit this vulnerability by sending manipulated API requests. These requests can include parameters that are not normally exposed through the graphical user interface, allowing for unauthorized modifications to database entries [1].
Impact
Successful exploitation allows an attacker to modify various data points, including Object IDs, an account's UUID, MFA secrets, and user account properties such as username, account type (ServiceAccount or regular), MFA activation status, and active/inactive status. This could lead to unauthorized account control or data manipulation [1].
Mitigation
Version 2.4.28 of IRIS contains a patch for this vulnerability. Users are advised to upgrade to version 2.4.28 or later. The release date for the fixed version is not specified in the available references [1].
AI Insight generated on Jun 4, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The affected API allows setting additional parameters for write operations which are not exposed in the GUI."
Attack vector
An authenticated user can send manipulated API requests to the IRIS web application. These requests can include parameters not normally available through the graphical user interface. By altering these hidden parameters, an attacker can modify sensitive data within the database, such as account types, MFA secrets, and user status [ref_id=1]. This vulnerability is classified as Mass Assignment [ref_id=1].
Affected code
The vulnerability lies within the API endpoints responsible for write operations in the IRIS web application. Specifically, the API allows setting additional parameters for these operations that are not exposed in the GUI, leading to unauthorized data modification [ref_id=1].
What the fix does
Version 2.4.28 contains a patch that addresses the Mass Assignment vulnerability. The patch likely restricts the parameters that can be modified via API requests, ensuring that only fields intended for user modification through the GUI are updatable. This prevents attackers from altering sensitive database values that are not exposed in the user interface [ref_id=1].
Preconditions
- authThe attacker must be an authenticated user.
Generated on Jun 4, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.