CVE-2026-42539
Information Disclosure in IRIS Platform
Publication date: 2026-06-04
Last updated on: 2026-06-04
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-201 | The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive data to users who do not need it for their operations. This could result in exposure of confidential information, potentially compromising privacy or security within an organization.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade IRIS to version 2.4.28 or later, as this version contains the patch that prevents sensitive data from being returned unnecessarily.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in IRIS versions prior to 2.4.28 causes the platform to return sensitive data to users that is not required for the clientβs operation.
Exposure of sensitive data can lead to non-compliance with data protection regulations such as GDPR and HIPAA, which mandate strict controls on the handling and disclosure of personal and sensitive information.
Therefore, this vulnerability could potentially result in violations of these standards by exposing sensitive information unnecessarily.
Can you explain this vulnerability to me?
The vulnerability exists in IRIS, a web collaborative platform used by incident responders. Versions prior to 2.4.28 return sensitive data to the user that is not required for the client's operation. This means that users could potentially access information they should not have access to. The issue was fixed in version 2.4.28.