HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-41522Published Modified CNA GitHub_M

CVE-2026-41522: Iris has an Improper Authorization issue

Iris is a web collaborative platform that helps incident responders share technical details during investigations. Prior to version 2.4.28, DFIR-IRIS exposes an optional GraphQL endpoint at `/graphql` that does not enforce the same authorization checks as the REST API. Any authenticated user can abuse it in three ways: unauthorized IOC read across cases (IDOR), bulk IOC disclosure via `case.iocs`. The `case(caseId: …).iocs` resolver returns IOCs linked to an arbitrary case without verifying the caller has access to that case, and unauthorized case creation. All three are reachable by any authenticated user, regardless of role or case ACL. This is fixed in v2.4.28. The GraphQL blueprint, resolvers, and dependencies (`graphene`, `graphene-sqlalchemy`, `graphql-server[flask]`) were removed entirely, since the feature was not in use. As a workaround, block `/graphql` at the reverse proxy (recommended) or comment out the `graphql_blueprint` import and `register_blueprint` call in `source/app/views.py` and restart.

Metrics

CVSS v4.0
7.1
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Improper authorization in Iris (dfir-iris/iris-web) exposes a GraphQL endpoint at /graphql that skips the role and case ACL checks enforced by the REST API. Any authenticated user, regardless of privilege level, can exploit this to read IOCs from cases they have no access to (IDOR), bulk-disclose IOCs via the case.iocs resolver, and create new cases without authorization. Successful exploitation gives an attacker read access to sensitive incident investigation data and the ability to inject new cases into the platform. No fix version has been published to package registries yet; HarborGuard tracks the advisory and will make a patched-image rebuild available as soon as an upstream release is confirmed.

HarborGuard Coverage

Detection

Detection of CVE-2026-41522 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that vendor iris-web internally. Any image running an affected version of iris-web (below 2.4.28) is flagged automatically.

Available
Triage

Triage is available with the CVSS v4.0 score of 7.1 (HIGH), weighted against each environment's compliance policy to prioritize exposure in sensitive or regulated contexts. Findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

Because no upstream fix version has been published to package registries yet, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment the upstream release is confirmed. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will trigger automatically at that point.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable /graphql endpoint is exposed over the network, so the attacker must be able to reach the Iris web service via HTTP/HTTPS.

  • AuthenticationRequired

    Any low-privilege authenticated account is sufficient; no elevated or admin role is needed to trigger the authorization bypass.

  • Victim interactionNot required

    The attacker sends requests directly to the GraphQL endpoint and does not need any action from another user.

  • Attack complexityDetail

    Exploitation is straightforward and condition-free; crafting a valid GraphQL query against the unprotected resolver requires no race conditions or special environmental setup.

Blast Radius

  • Reads IOCs (indicators of compromise such as file hashes, IPs, and domains) from any case in the platform, including cases the attacker has no legitimate access to.
  • Bulk-discloses all IOCs linked to an arbitrary case in a single resolver call, accelerating exfiltration of incident investigation data.
  • Creates new cases in the platform under any authenticated identity, allowing an attacker to inject false or misleading incident records.

How HarborGuard Handles This

Available on HarborGuard: images running iris-web below 2.4.28 are flagged as soon as the CVE is matched on ingestion. Because no upstream fix version has been published to registries yet, HarborGuard monitors the advisory on every ingest cycle and will trigger a patched-image rebuild the moment the release is confirmed; for customers with auto-remediation enabled, that rebuild will be followed by a regression run and a PR opened against affected workloads automatically. In the interim, compensating controls are available at the infrastructure layer: block access to the /graphql path at the reverse proxy (the approach recommended by the upstream maintainers), or, where direct access to the application source is possible, remove the graphql_blueprint import and register_blueprint call in source/app/views.py and restart the service. Network-policy isolation limiting which internal services or user roles can reach the Iris web port also reduces exposure while a patched release is pending.

See how HarborGuard automates this
Affected packages
  • dfir-iris / iris-web
    < 2.4.28
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
References