CVE-2026-42540
Deferred Deferred - Pending Action
Privilege Escalation in IRIS Web Platform

Publication date: 2026-06-04

Last updated on: 2026-06-05

Assigner: GitHub, Inc.

Description
IRIS is a web collaborative platform that helps incident responders share technical details during investigations. Versions prior to 2.4.28 allow a user to alter values in the database via manipulated API requests. Version 2.4.28 contains a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-04
Last Modified
2026-06-05
Generated
2026-06-25
AI Q&A
2026-06-05
EPSS Evaluated
2026-06-24
NVD
CVE-2026-42540
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
iris iris to 2.4.28 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-915 The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the IRIS web collaborative platform, which is used by incident responders to share technical details during investigations. In versions prior to 2.4.28, a user can manipulate API requests to alter values in the database improperly. This means that unauthorized changes to stored data can be made through crafted API calls. The issue was fixed in version 2.4.28.

Impact Analysis

The vulnerability allows a user with some level of privileges to alter database values via manipulated API requests. This can lead to integrity issues where data may be changed without proper authorization. Although it does not impact confidentiality or availability, the integrity loss could affect the reliability of the information stored and shared within the IRIS platform.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade IRIS to version 2.4.28 or later, as this version contains the patch that fixes the issue.

Detection Guidance

This vulnerability can be detected by monitoring and analyzing API requests to the IRIS web application, specifically targeting endpoints such as `/manage/asset-type/update/<id>`, `/manage/asset-type/add`, and `/user/update`.

Look for unusual or unauthorized modifications in API request payloads where parameters not normally exposed in the GUI are being sent, such as changes to asset type IDs, account types, UUIDs, MFA secrets, account status, or usernames.

Suggested commands include using network traffic inspection tools like `tcpdump` or `Wireshark` to capture HTTP requests to these endpoints, or using `curl` or similar tools to manually test the API with crafted requests to see if unauthorized changes are accepted.

  • Example curl command to test the vulnerability (replace <id> and server URL accordingly):
  • curl -X POST https://<iris-server>/manage/asset-type/update/<id> -d '{"id":666, "other_param":"value"}' -H 'Content-Type: application/json' -b 'auth_cookie=your_auth_cookie'

Additionally, reviewing application logs for unexpected changes to sensitive fields or accounts can help detect exploitation attempts.

Compliance Impact

The vulnerability allows authenticated users to manipulate sensitive data such as account types, MFA secrets, and usernames via crafted API requests. This unauthorized modification of sensitive information could potentially lead to non-compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data integrity and confidentiality.

However, the provided information does not explicitly state the direct impact on compliance with these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42540. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart