CVE-2026-41522
Deferred Deferred - Pending Action
GraphQL Authorization Bypass in DFIR-IRIS

Publication date: 2026-06-04

Last updated on: 2026-06-04

Assigner: GitHub, Inc.

Description
Iris is a web collaborative platform that helps incident responders share technical details during investigations. Prior to version 2.4.28, DFIR-IRIS exposes an optional GraphQL endpoint at `/graphql` that does not enforce the same authorization checks as the REST API. Any authenticated user can abuse it in three ways: unauthorized IOC read across cases (IDOR), bulk IOC disclosure via `case.iocs`. The `case(caseId: …).iocs` resolver returns IOCs linked to an arbitrary case without verifying the caller has access to that case, and unauthorized case creation. All three are reachable by any authenticated user, regardless of role or case ACL. This is fixed in v2.4.28. The GraphQL blueprint, resolvers, and dependencies (`graphene`, `graphene-sqlalchemy`, `graphql-server[flask]`) were removed entirely, since the feature was not in use. As a workaround, block `/graphql` at the reverse proxy (recommended) or comment out the `graphql_blueprint` import and `register_blueprint` call in `source/app/views.py` and restart.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-04
Last Modified
2026-06-04
Generated
2026-06-26
AI Q&A
2026-06-04
EPSS Evaluated
2026-06-24
NVD
CVE-2026-41522
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
dfir-iris iris to 2.4.28 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-41522 is an improper authorization vulnerability in the DFIR-IRIS application versions 2.4.27 and earlier. It involves an exposed GraphQL endpoint at /graphql that does not enforce the same authorization checks as the REST API.

This flaw allows any authenticated user to perform unauthorized actions including: reading Indicators of Compromise (IOCs) across cases without permission (IDOR), bulk disclosure of IOCs linked to arbitrary cases, and creating cases without proper authorization.

The vulnerability exists because the GraphQL endpoint fails to verify if the user has access rights to the requested cases, unlike the REST API. The issue was fixed in version 2.4.28 by removing the GraphQL feature entirely.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive information, specifically Indicators of Compromise (IOCs) across different cases, which could expose confidential investigation details.

An attacker with any authenticated user privileges can exploit this to read data they should not have access to, potentially compromising the confidentiality of incident response investigations.

Additionally, unauthorized case creation could disrupt the integrity and management of cases within the platform.

Detection Guidance

This vulnerability can be detected by checking for the presence of the exposed GraphQL endpoint at /graphql on DFIR-IRIS instances running version 2.4.27 or earlier.

You can use network scanning or HTTP request tools to detect if the /graphql endpoint is accessible and requires only authentication without proper authorization.

  • Use curl to check the endpoint: curl -i -X POST https://your-iris-instance/graphql -H "Authorization: Bearer <token>" -d '{"query":"{ case(caseId: \"1\") { iocs { id } } }"}'
  • Use tools like nmap with HTTP scripts to detect the /graphql endpoint: nmap --script http-graphql-introspection -p 80,443 your-iris-instance

If the endpoint responds and returns data without proper authorization checks, the vulnerability is present.

Mitigation Strategies

Immediate mitigation steps include blocking access to the /graphql endpoint at the reverse proxy level to prevent any authenticated user from reaching it.

Alternatively, you can disable the GraphQL feature by commenting out the graphql_blueprint import and the register_blueprint call in the source/app/views.py file, then restarting the application.

The ultimate fix is to upgrade DFIR-IRIS to version 2.4.28 or later, where the GraphQL feature has been completely removed.

Compliance Impact

The vulnerability in DFIR-IRIS allows unauthorized access to sensitive information, specifically Indicators of Compromise (IOCs) across cases, due to improper authorization checks on the GraphQL endpoint. This unauthorized disclosure of sensitive data can lead to violations of data protection and privacy regulations such as GDPR and HIPAA, which require strict access controls and protection of confidential information.

Because any authenticated user can access or disclose sensitive case information without proper authorization, organizations using affected versions of DFIR-IRIS may face compliance risks related to confidentiality and data security mandates under these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41522. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart