CVE-2026-42539
Deferred Deferred - Pending Action

Information Disclosure in IRIS Platform

Vulnerability report for CVE-2026-42539, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-04

Last updated on: 2026-06-08

Assigner: GitHub, Inc.

Description

IRIS is a web collaborative platform that helps incident responders share technical details during investigations. Versions prior to 2.4.28 return sensitive data to the user which are not required for the client’s operation. Version 2.4.28 contains a patch.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-04
Last Modified
2026-06-08
Generated
2026-07-15
AI Q&A
2026-06-05
EPSS Evaluated
2026-07-14
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
iris iris to 2.4.28 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-201 The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive data to users who do not need it for their operations. This could result in exposure of confidential information, potentially compromising privacy or security within an organization.

Executive Summary

The vulnerability exists in IRIS, a web collaborative platform used by incident responders. Versions prior to 2.4.28 return sensitive data to the user that is not required for the client's operation. This means that users could potentially access information they should not have access to. The issue was fixed in version 2.4.28.

Mitigation Strategies

To mitigate this vulnerability, upgrade IRIS to version 2.4.28 or later, as this version contains the patch that prevents sensitive data from being returned unnecessarily.

Detection Guidance

This vulnerability involves the IRIS web application (versions 2.4.27 and earlier) returning excessive sensitive data in API responses, such as password hashes, MFA secrets, and local server storage paths.

To detect this vulnerability on your network or system, you can monitor and analyze API responses from the IRIS application for the presence of sensitive data that should not be exposed.

Suggested commands include using tools like curl or wget to make API requests and inspecting the responses for sensitive information exposure.

  • curl -i -X GET "http://<iris-server>/api/endpoint" -H "Authorization: Bearer <token>"
  • Use grep or jq to search the response for keywords such as 'password', 'hash', 'MFA', or 'secret'. For example: curl ... | grep -i 'password'
  • Capture and analyze network traffic with tools like Wireshark or tcpdump to inspect API responses for sensitive data.

If sensitive data like password hashes or MFA secrets are found in the responses, it indicates the presence of this vulnerability.

Compliance Impact

The vulnerability in IRIS versions prior to 2.4.28 causes the platform to return sensitive data to users that is not required for the client’s operation.

Exposure of sensitive data can lead to non-compliance with data protection regulations such as GDPR and HIPAA, which mandate strict controls on the handling and disclosure of personal and sensitive information.

Therefore, this vulnerability could potentially result in violations of these standards by exposing sensitive information unnecessarily.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42539. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart