Skip to main content

DFIR-IRIS CVE-2026-42543

| EUVDEUVD-2026-34329 MEDIUM
Trusting HTTP Permission Methods on the Server Side (CWE-650)
2026-05-27
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch available
Jun 04, 2026 - 23:01 EUVD
Analysis Generated
Jun 04, 2026 - 22:24 vuln.today
CVSS changed
Jun 04, 2026 - 22:22 NVD
4.3 (MEDIUM)
CVE Published
May 27, 2026 - 20:45 nvd
UNKNOWN (no severity yet)

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Cross-Site Request Forgery in DFIR-IRIS before version 2.4.28 enables a remote attacker to perform unauthorized state-changing actions on behalf of an authenticated victim user, with low integrity impact and no confidentiality or availability consequence. Disclosed by SBA Research as part of a coordinated multi-CVE advisory (alongside mass assignment CVE-2026-42540, excessive data exposure CVE-2026-42539, and false alert attribution CVE-2026-42547), this flaw is rooted in CWE-650 - the application trusts HTTP method semantics rather than enforcing proper anti-CSRF token validation. No public exploit code or active exploitation has been identified at time of analysis.

Technical ContextAI

DFIR-IRIS (iris-web) is an open-source collaborative Digital Forensics and Incident Response platform built on Python/Flask, used by security operations and forensic teams to manage cases, evidence, and investigation timelines. The root cause is classified as CWE-650 (Trusting HTTP Permission Methods on the Server Side), which indicates the application relies on HTTP method conventions (e.g., distinguishing GET from POST) as an implicit security boundary rather than implementing cryptographic anti-CSRF tokens or enforcing SameSite cookie policies. This allows an attacker to craft a cross-origin HTTP request that the victim's browser will automatically submit, bypassing intended access controls. No CPE strings were included in the input data; affected versions are identified as all DFIR-IRIS releases prior to 2.4.28 per advisory SBA-ADV-20260128-03 and GitHub security advisory GHSA-m73w-v4r5-vw9m.

RemediationAI

Upgrade DFIR-IRIS to version 2.4.28 or later, which remediates this CSRF flaw and the three co-disclosed vulnerabilities (CVE-2026-42539, CVE-2026-42540, CVE-2026-42547). The upstream fix is documented in GitHub security advisory GHSA-m73w-v4r5-vw9m at https://github.com/dfir-iris/iris-web/security/advisories/GHSA-m73w-v4r5-vw9m and the oss-security disclosure at https://www.openwall.com/lists/oss-security/2026/05/19. If immediate patching is not feasible, restrict DFIR-IRIS web interface access to trusted internal networks or enforce VPN-only access to reduce the attacker's ability to deliver a CSRF payload - this does not eliminate the vulnerability but removes most attacker delivery vectors. As an additional compensating control, configuring SameSite=Strict on session cookies at the reverse proxy layer will block cross-site request submission, though this may break any legitimate cross-origin integrations. Both workarounds have the trade-off of reducing but not eliminating risk and should be treated as temporary measures pending the patch.

Share

CVE-2026-42543 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy