CVE-2026-42547
Description
IRIS is a web collaborative platform that helps incident responders share technical details during investigations. In versions prior to 2.4.28, users can create alerts for customers that are not assigned to them. This can be abused to falsely attribute fake alerts to customers. In combination with Cross-Site Scripting, this can also be used to exfiltrate alerts from other customers. Version 2.4.28 contains a patch.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The application does not validate that a user is assigned to a customer before allowing them to create or update alerts for that customer."
Attack vector
A user with alerts_write privileges can create or update alerts for any customer, regardless of whether that customer is assigned to them. This allows for the false attribution of alerts to customers [ref_id=1]. In conjunction with Cross-Site Scripting, this vulnerability can be leveraged to exfiltrate alerts belonging to other customers [ref_id=1].
Affected code
The vulnerability lies in the alert creation and update functionality where customer assignments are not properly validated against user permissions. The advisory does not specify exact file paths or function names.
What the fix does
Version 2.4.28 includes a patch that addresses the vulnerability. The advisory does not specify the exact code changes, but it rectifies the improper validation that allowed users to create alerts for unassigned customers [ref_id=1]. This prevents both the false attribution of alerts and the potential exfiltration of sensitive alert data.
Preconditions
- authThe attacker must be a user with alerts_write privileges.
- inputThe attacker needs to be able to send POST requests to the /alerts/add endpoint.
Generated on Jun 4, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.