CVE-2026-42539
Deferred Deferred - Pending Action
Information Disclosure in IRIS Platform

Publication date: 2026-06-04

Last updated on: 2026-06-08

Assigner: GitHub, Inc.

Description
IRIS is a web collaborative platform that helps incident responders share technical details during investigations. Versions prior to 2.4.28 return sensitive data to the user which are not required for the client’s operation. Version 2.4.28 contains a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-04
Last Modified
2026-06-08
Generated
2026-06-25
AI Q&A
2026-06-05
EPSS Evaluated
2026-06-24
NVD
CVE-2026-42539
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
iris iris to 2.4.28 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-201 The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive data to users who do not need it for their operations. This could result in exposure of confidential information, potentially compromising privacy or security within an organization.

Mitigation Strategies

To mitigate this vulnerability, upgrade IRIS to version 2.4.28 or later, as this version contains the patch that prevents sensitive data from being returned unnecessarily.

Detection Guidance

This vulnerability involves the IRIS web application (versions 2.4.27 and earlier) returning excessive sensitive data in API responses, such as password hashes, MFA secrets, and local server storage paths.

To detect this vulnerability on your network or system, you can monitor and analyze API responses from the IRIS application for the presence of sensitive data that should not be exposed.

Suggested commands include using tools like curl or wget to make API requests and inspecting the responses for sensitive information exposure.

  • curl -i -X GET "http://<iris-server>/api/endpoint" -H "Authorization: Bearer <token>"
  • Use grep or jq to search the response for keywords such as 'password', 'hash', 'MFA', or 'secret'. For example: curl ... | grep -i 'password'
  • Capture and analyze network traffic with tools like Wireshark or tcpdump to inspect API responses for sensitive data.

If sensitive data like password hashes or MFA secrets are found in the responses, it indicates the presence of this vulnerability.

Executive Summary

The vulnerability exists in IRIS, a web collaborative platform used by incident responders. Versions prior to 2.4.28 return sensitive data to the user that is not required for the client's operation. This means that users could potentially access information they should not have access to. The issue was fixed in version 2.4.28.

Compliance Impact

The vulnerability in IRIS versions prior to 2.4.28 causes the platform to return sensitive data to users that is not required for the client’s operation.

Exposure of sensitive data can lead to non-compliance with data protection regulations such as GDPR and HIPAA, which mandate strict controls on the handling and disclosure of personal and sensitive information.

Therefore, this vulnerability could potentially result in violations of these standards by exposing sensitive information unnecessarily.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42539. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart