CVE-2026-42543

An attacker can exploit this vulnerability by tricking a logged-in user into visiting a malicious website or a specially crafted link within the application itself. This link would trigger an HTTP GET request to the IRIS server, performing an action such as rotating an API token or logging the user out without their explicit consent [ref_id=1]. This is possible because the application does not properly validate that state-changing requests are made using a method like POST [ref_id=2].

The vulnerability exists in versions of IRIS prior to 2.4.28. Specifically, the application accepts parameters via HTTP GET for state-changing operations, which is a design flaw that facilitates cross-site request forgery attacks [ref_id=1, ref_id=2].

Version 2.4.28 includes a patch that addresses this vulnerability. The advisory does not specify the exact code changes, but it rectifies the issue by preventing state-changing operations from being performed via HTTP GET requests. This ensures that only intended methods, likely POST, are used for sensitive actions, thereby mitigating the CSRF risk [ref_id=1, ref_id=2].

The following HTTP communication rotates the API key of the account: Request: GET /user/token/renew?cid=1 HTTP/1.1 Host: myiris.local Cookie: session=.eJw[...] User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br X-Requested-With: XMLHttpRequest Referer: https://myiris.local/user/settings?cid=1 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Priority: u=0 Te: trailers Connection: keep-alive Response: HTTP/1.1 200 OK Server: nginx Date: Mon, 26 Jan 2026 10:47:31 GMT Content-Type: application/json Content-Length: 61 Connection: keep-alive Vary: Cookie Content-Security-Policy: default-src 'self' https://analytics.dfir-iris.org; script-src 'self' 'unsafe-inline' https://analytics.dfir-iris.org; style-src 'self' 'unsafe-inline'; [ref_id=2]