Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
5Description PRE-NVD
AnalysisAI
Incorrect authorization in DFIR-IRIS before version 2.4.28 allows authenticated low-privileged users to falsely attribute security alerts to arbitrary customers, corrupting case integrity in digital forensics and incident response workflows. Discovered by SBA Research and disclosed via oss-security on 2026-05-19, this flaw enables manipulation of alert-to-customer linkage without proper authorization checks. No active exploitation has been identified at time of analysis, and a patched release (2.4.28) is available.
Technical ContextAI
DFIR-IRIS is an open-source collaborative incident response and digital forensics platform used by SOC and DFIR teams to manage cases, alerts, and customer engagements. The root cause is CWE-863 (Incorrect Authorization), meaning the application performs an authorization check but does so incorrectly - it likely validates that a user is authenticated but fails to verify whether that user has the right to associate alerts with a specific customer entity. This class of flaw differs from missing authorization (CWE-862): the check exists but is insufficient or improperly scoped. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms the flaw is reachable over the network by any authenticated user with low privileges, requiring no user interaction and no special attack complexity. The advisory GHSA-8hwq-v6vm-9grr is hosted on the dfir-iris/iris-web GitHub repository, confirming this affects the web application layer of the platform.
RemediationAI
Upgrade DFIR-IRIS to version 2.4.28 or later, which contains the fix per the SBA Research advisory and the GitHub Security Advisory GHSA-8hwq-v6vm-9grr (https://github.com/dfir-iris/iris-web/security/advisories/GHSA-8hwq-v6vm-9grr). The exact patched version (2.4.28) is stated in the disclosure; this should be verified against the official dfir-iris/iris-web release page before deployment. As a compensating control prior to patching, restrict platform access to the minimum required set of authenticated users and audit existing alert-to-customer attribution records for unexpected changes. Enabling audit logging on alert modification endpoints, if supported by the platform, can help detect abuse. Note that restricting user access broadly may impact operational workflows in active incident response environments.
Same weakness CWE-863 – Incorrect Authorization
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34330