CVE-2026-22783
Unknown Unknown - Not Provided
Mass Assignment Vulnerability in Iris Datastore Enables Arbitrary File Deletion

Publication date: 2026-01-12

Last updated on: 2026-01-12

Assigner: GitHub, Inc.

Description
Iris is a web collaborative platform that helps incident responders share technical details during investigations. Prior to 2.4.24, the DFIR-IRIS datastore file management system has a vulnerability where mass assignment of the file_local_name field combined with path trust in the delete operation enables authenticated users to delete arbitrary filesystem paths. The vulnerability manifests through a three-step attack chain: authenticated users upload a file to the datastore, update the file's file_local_name field to point to an arbitrary filesystem path through mass assignment, then trigger the delete operation which removes the target file without path validation. This vulnerability is fixed in 2.4.24.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-12
Last Modified
2026-01-12
Generated
2026-06-16
AI Q&A
2026-01-13
EPSS Evaluated
2026-06-15
NVD
CVE-2026-22783
EUVD
EUVD-2026-2004
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
dfir-iris iris-web to 2.4.24 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-73 The product allows user input to control or influence paths or file names that are used in filesystem operations.
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
CWE-915 The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in the iris-web platform arises from improper handling of the file_local_name field in the datastore file management system. Authenticated users can upload a file, then use mass assignment to change the file_local_name to point to any arbitrary filesystem path. When the delete operation is triggered, it deletes the file at that arbitrary path without validating whether the path is safe or within the intended datastore directory. This allows attackers to delete arbitrary files on the filesystem, exploiting a lack of path validation and improper control over which fields can be updated. [2]

Impact Analysis

The vulnerability can lead to high integrity and availability loss by allowing authenticated users to delete arbitrary files on the filesystem. This can disrupt system operations, cause data loss, and potentially damage the system by removing critical files. Confidentiality is not affected, but the ability to delete important files can severely impact system stability and trustworthiness. [2]

Detection Guidance

Detection involves monitoring for suspicious file operations related to the iris-web datastore, especially unauthorized changes to the file_local_name field and unexpected deletions of files outside the datastore directory. Since the vulnerability requires authenticated user actions, reviewing iris-web application logs for warnings about file deletions or access attempts outside the datastore directory can help. Additionally, monitoring filesystem changes for unexpected deletions or modifications of critical files may indicate exploitation attempts. Specific commands depend on your environment, but examples include: 1) Checking iris-web logs for warnings (e.g., using grep): `grep -i warning /path/to/iris-web/logs/*` 2) Monitoring recent file deletions in the datastore directory and parent directories: `find /path/to/datastore -type f -mtime -1` 3) Using audit tools like auditd to track file deletion events on critical paths. 4) Reviewing web server access logs for suspicious authenticated requests that update file metadata. These steps help identify attempts to exploit the vulnerability by detecting abnormal file operations and log warnings introduced by the patch. [1]

Mitigation Strategies

The immediate mitigation is to upgrade the iris-web application to version 2.4.24 or later, where the vulnerability is fixed. The patch restricts which file metadata fields can be updated via mass assignment, validates file paths to ensure they reside within the datastore directory before deletion, and adds logging for suspicious file operations. If upgrading immediately is not possible, restrict access to the iris-web application to trusted users only, monitor logs closely for suspicious activity, and consider disabling file deletion features temporarily. However, no effective workaround exists other than applying the official patch. [2, 1]

Compliance Impact

The vulnerability allows authenticated users to delete arbitrary filesystem paths, leading to high integrity and availability loss. Such unauthorized deletion of files could impact compliance with standards like GDPR and HIPAA, which require protection of data integrity and availability. However, confidentiality is not affected by this vulnerability. Therefore, organizations using affected versions of iris-web may face compliance risks related to data integrity and availability requirements under these regulations if the vulnerability is exploited. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22783. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart