Skip to main content

DFIR-IRIS CVE-2026-42540

| EUVDEUVD-2026-34328 MEDIUM
Improperly Controlled Modification of Dynamically-Determined Object Attributes (CWE-915)
2026-05-27
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch available
Jun 04, 2026 - 23:01 EUVD
Analysis Generated
Jun 04, 2026 - 22:23 vuln.today
CVSS changed
Jun 04, 2026 - 22:22 NVD
4.3 (MEDIUM)
CVE Published
May 27, 2026 - 20:45 nvd
UNKNOWN (no severity yet)

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Mass assignment vulnerability in DFIR-IRIS before 2.4.28 enables authenticated low-privileged users to modify object attributes that the application should restrict from client control. Exploitable remotely with no complexity or user interaction required (AV:N/AC:L/PR:L/UI:N), the flaw can allow unauthorized modification of case data, ownership fields, or other model attributes beyond what the interface intentionally exposes. No public exploit code identified at time of analysis, and the CVE is not listed in CISA KEV; however, it was disclosed as part of a coordinated multi-CVE advisory by SBA Research covering five distinct vulnerabilities in the same product version.

Technical ContextAI

CWE-915 (Improperly Controlled Modification of Dynamically-Determined Object Attributes), commonly called Mass Assignment, arises when a web application automatically binds HTTP request parameters to internal model attributes without an explicit allowlist of permitted fields. An attacker crafts a request to include parameters the developer did not intend to be user-settable - such as role identifiers, ownership flags, or administrative metadata - and the application's ORM or deserialization layer applies them without validation. DFIR-IRIS (iris-web on GitHub) is an open-source Digital Forensics and Incident Response collaboration platform. The affected code path processes user-supplied data in a way that permits field injection into server-side model objects. The advisory cluster (SBA-ADV-20260128-01) was published by SBA Research on 2026-05-19 via oss-security alongside four sibling CVEs (CVE-2026-42538 insecure file upload, CVE-2026-42539 excessive data exposure, CVE-2026-42543 CSRF, CVE-2026-42547), suggesting a comprehensive audit of the iris-web codebase prior to version 2.4.28.

RemediationAI

The primary remediation is to upgrade DFIR-IRIS to version 2.4.28 or later, which is the fix boundary stated by SBA Research advisory SBA-ADV-20260128-01. The patch details and changelog are available via the GitHub security advisory GHSA-w78h-mx7h-qm3h at https://github.com/dfir-iris/iris-web/security/advisories/GHSA-w78h-mx7h-qm3h. Note that the exact patched release version is referenced in the advisory description but has not been independently confirmed from a tagged GitHub release - verify the release tag before deploying. As a compensating control prior to patching, restrict access to the DFIR-IRIS instance to trusted, role-controlled users only and audit existing user permissions to remove unnecessary low-privilege accounts that could abuse the mass assignment endpoint. Restricting network exposure (e.g., placing the instance behind a VPN or internal network boundary) reduces the attack surface given the PR:L requirement, though this does not eliminate the vulnerability for internal threat actors.

Share

CVE-2026-42540 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy