PatchSiren cyber security CVE debrief
CVE-2026-41522 dfir-iris CVE debrief
CVE-2026-41522 is a HIGH severity vulnerability in the Iris web collaborative platform. The platform's optional GraphQL endpoint at `/graphql` did not enforce the same authorization checks as the REST API, allowing authenticated users to perform unauthorized actions. Specifically, attackers could read incident response data across cases (IDOR), disclose incident response data in bulk via `case.iocs`, and create new cases without proper authorization. All three vulnerabilities were reachable by any authenticated user, regardless of role or case access control list (ACL). The issue was fixed in version 2.4.28 by removing the GraphQL endpoint entirely.
- Vendor
- dfir-iris
- Product
- iris-web
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-04
- Original CVE updated
- 2026-06-05
- Advisory published
- 2026-06-04
- Advisory updated
- 2026-06-05
Who should care
Incident responders, security teams, and administrators using Iris web collaborative platform should be aware of this vulnerability and take immediate action to protect their instances.
Technical summary
The GraphQL endpoint at `/graphql` in Iris web collaborative platform versions prior to 2.4.28 did not enforce proper authorization checks. This allowed authenticated users to perform the following unauthorized actions: 1) Read incident response data across cases (IDOR), 2) Disclose incident response data in bulk via `case.iocs`, and 3) Create new cases without authorization. The vulnerability was addressed by removing the GraphQL endpoint in version 2.4.28.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade to Iris version 2.4.28 or later
- Block access to the `/graphql` endpoint at the reverse proxy level (recommended workaround)
- Comment out the `graphql_blueprint` import and `register_blueprint` call in `source/app/views.py` and restart the application (workaround)
Evidence notes
The vulnerability was reported and fixed by the Iris development team. The CVE was published on [cve-org] and additional details were provided by [nvd].
Official resources
-
CVE-2026-41522 CVE record
CVE.org
-
CVE-2026-41522 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-41522 was published on 2026-06-04T20:16:58.140Z and modified on 2026-06-05T16:00:09.370Z.