Skip to main content

DFIR-IRIS CVE-2026-42547

| EUVDEUVD-2026-34330 MEDIUM
Incorrect Authorization (CWE-863)
2026-05-27
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

5
Patch available
Jun 04, 2026 - 23:01 EUVD
Analysis Generated
Jun 04, 2026 - 22:23 vuln.today
CVSS changed
Jun 04, 2026 - 22:22 NVD
5.4 (MEDIUM)
CVE Published
May 27, 2026 - 20:45 nvd
MEDIUM 5.4
CVE Published
May 27, 2026 - 20:45 nvd
UNKNOWN (no severity yet)

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Incorrect authorization in DFIR-IRIS before version 2.4.28 allows authenticated low-privileged users to falsely attribute security alerts to arbitrary customers, corrupting case integrity in digital forensics and incident response workflows. Discovered by SBA Research and disclosed via oss-security on 2026-05-19, this flaw enables manipulation of alert-to-customer linkage without proper authorization checks. No active exploitation has been identified at time of analysis, and a patched release (2.4.28) is available.

Technical ContextAI

DFIR-IRIS is an open-source collaborative incident response and digital forensics platform used by SOC and DFIR teams to manage cases, alerts, and customer engagements. The root cause is CWE-863 (Incorrect Authorization), meaning the application performs an authorization check but does so incorrectly - it likely validates that a user is authenticated but fails to verify whether that user has the right to associate alerts with a specific customer entity. This class of flaw differs from missing authorization (CWE-862): the check exists but is insufficient or improperly scoped. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms the flaw is reachable over the network by any authenticated user with low privileges, requiring no user interaction and no special attack complexity. The advisory GHSA-8hwq-v6vm-9grr is hosted on the dfir-iris/iris-web GitHub repository, confirming this affects the web application layer of the platform.

RemediationAI

Upgrade DFIR-IRIS to version 2.4.28 or later, which contains the fix per the SBA Research advisory and the GitHub Security Advisory GHSA-8hwq-v6vm-9grr (https://github.com/dfir-iris/iris-web/security/advisories/GHSA-8hwq-v6vm-9grr). The exact patched version (2.4.28) is stated in the disclosure; this should be verified against the official dfir-iris/iris-web release page before deployment. As a compensating control prior to patching, restrict platform access to the minimum required set of authenticated users and audit existing alert-to-customer attribution records for unexpected changes. Enabling audit logging on alert modification endpoints, if supported by the platform, can help detect abuse. Note that restricting user access broadly may impact operational workflows in active incident response environments.

Share

CVE-2026-42547 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy