Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
4Description PRE-NVD
AnalysisAI
Mass assignment vulnerability in DFIR-IRIS before 2.4.28 enables authenticated low-privileged users to modify object attributes that the application should restrict from client control. Exploitable remotely with no complexity or user interaction required (AV:N/AC:L/PR:L/UI:N), the flaw can allow unauthorized modification of case data, ownership fields, or other model attributes beyond what the interface intentionally exposes. No public exploit code identified at time of analysis, and the CVE is not listed in CISA KEV; however, it was disclosed as part of a coordinated multi-CVE advisory by SBA Research covering five distinct vulnerabilities in the same product version.
Technical ContextAI
CWE-915 (Improperly Controlled Modification of Dynamically-Determined Object Attributes), commonly called Mass Assignment, arises when a web application automatically binds HTTP request parameters to internal model attributes without an explicit allowlist of permitted fields. An attacker crafts a request to include parameters the developer did not intend to be user-settable - such as role identifiers, ownership flags, or administrative metadata - and the application's ORM or deserialization layer applies them without validation. DFIR-IRIS (iris-web on GitHub) is an open-source Digital Forensics and Incident Response collaboration platform. The affected code path processes user-supplied data in a way that permits field injection into server-side model objects. The advisory cluster (SBA-ADV-20260128-01) was published by SBA Research on 2026-05-19 via oss-security alongside four sibling CVEs (CVE-2026-42538 insecure file upload, CVE-2026-42539 excessive data exposure, CVE-2026-42543 CSRF, CVE-2026-42547), suggesting a comprehensive audit of the iris-web codebase prior to version 2.4.28.
RemediationAI
The primary remediation is to upgrade DFIR-IRIS to version 2.4.28 or later, which is the fix boundary stated by SBA Research advisory SBA-ADV-20260128-01. The patch details and changelog are available via the GitHub security advisory GHSA-w78h-mx7h-qm3h at https://github.com/dfir-iris/iris-web/security/advisories/GHSA-w78h-mx7h-qm3h. Note that the exact patched release version is referenced in the advisory description but has not been independently confirmed from a tagged GitHub release - verify the release tag before deploying. As a compensating control prior to patching, restrict access to the DFIR-IRIS instance to trusted, role-controlled users only and audit existing user permissions to remove unnecessary low-privilege accounts that could abuse the mass assignment endpoint. Restricting network exposure (e.g., placing the instance behind a VPN or internal network boundary) reduces the attack surface given the PR:L requirement, though this does not eliminate the vulnerability for internal threat actors.
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34328