Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Lifecycle Timeline
4Description PRE-NVD
AnalysisAI
Cross-Site Request Forgery in DFIR-IRIS before version 2.4.28 enables a remote attacker to perform unauthorized state-changing actions on behalf of an authenticated victim user, with low integrity impact and no confidentiality or availability consequence. Disclosed by SBA Research as part of a coordinated multi-CVE advisory (alongside mass assignment CVE-2026-42540, excessive data exposure CVE-2026-42539, and false alert attribution CVE-2026-42547), this flaw is rooted in CWE-650 - the application trusts HTTP method semantics rather than enforcing proper anti-CSRF token validation. No public exploit code or active exploitation has been identified at time of analysis.
Technical ContextAI
DFIR-IRIS (iris-web) is an open-source collaborative Digital Forensics and Incident Response platform built on Python/Flask, used by security operations and forensic teams to manage cases, evidence, and investigation timelines. The root cause is classified as CWE-650 (Trusting HTTP Permission Methods on the Server Side), which indicates the application relies on HTTP method conventions (e.g., distinguishing GET from POST) as an implicit security boundary rather than implementing cryptographic anti-CSRF tokens or enforcing SameSite cookie policies. This allows an attacker to craft a cross-origin HTTP request that the victim's browser will automatically submit, bypassing intended access controls. No CPE strings were included in the input data; affected versions are identified as all DFIR-IRIS releases prior to 2.4.28 per advisory SBA-ADV-20260128-03 and GitHub security advisory GHSA-m73w-v4r5-vw9m.
RemediationAI
Upgrade DFIR-IRIS to version 2.4.28 or later, which remediates this CSRF flaw and the three co-disclosed vulnerabilities (CVE-2026-42539, CVE-2026-42540, CVE-2026-42547). The upstream fix is documented in GitHub security advisory GHSA-m73w-v4r5-vw9m at https://github.com/dfir-iris/iris-web/security/advisories/GHSA-m73w-v4r5-vw9m and the oss-security disclosure at https://www.openwall.com/lists/oss-security/2026/05/19. If immediate patching is not feasible, restrict DFIR-IRIS web interface access to trusted internal networks or enforce VPN-only access to reduce the attacker's ability to deliver a CSRF payload - this does not eliminate the vulnerability but removes most attacker delivery vectors. As an additional compensating control, configuring SameSite=Strict on session cookies at the reverse proxy layer will block cross-site request submission, though this may break any legitimate cross-origin integrations. Both workarounds have the trade-off of reducing but not eliminating risk and should be treated as temporary measures pending the patch.
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34329