CVE-2026-42543
Deferred Deferred - Pending Action
Cross-Site Request Forgery in IRIS Platform

Publication date: 2026-06-04

Last updated on: 2026-06-08

Assigner: GitHub, Inc.

Description
IRIS is a web collaborative platform that helps incident responders share technical details during investigations. Versions prior to 2.4.28 are vulnerable to a cross-site request forgery attack, because they use the HTTP method `GET` to change state on the server. Version 2.4.28 contains a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-04
Last Modified
2026-06-08
Generated
2026-06-25
AI Q&A
2026-06-05
EPSS Evaluated
2026-06-24
NVD
CVE-2026-42543
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
iris iris to 2.4.28 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-650 The server contains a protection mechanism that assumes that any URI that is accessed using HTTP GET will not cause a state change to the associated resource. This might allow attackers to bypass intended access restrictions and conduct resource modification and deletion attacks, since some applications allow GET to modify state.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability can be detected by identifying HTTP GET requests that change server state, such as requests that rotate API tokens or log out users, which should normally be done via POST requests.

To detect potential exploitation attempts on your network or system, you can monitor HTTP traffic for GET requests that perform state-changing actions.

  • Use network traffic analysis tools like tcpdump or Wireshark to capture HTTP GET requests to the IRIS application endpoints.
  • Example tcpdump command to capture HTTP GET requests to the IRIS server (replace <iris_server_ip> with the actual IP):
  • tcpdump -i any -A 'tcp port 80 and src host <iris_server_ip>' | grep 'GET '
  • Check web server logs for GET requests that trigger state changes, such as token rotation or logout URLs.
  • Example grep command to find GET requests in access logs:
  • grep 'GET' /var/log/iris/access.log | grep -E 'rotate_token|logout'

If such GET requests are found performing state changes, it indicates the presence of the vulnerable behavior.

Executive Summary

This vulnerability affects IRIS, a web collaborative platform used by incident responders. Versions prior to 2.4.28 are vulnerable to a cross-site request forgery (CSRF) attack because they use the HTTP GET method to change the state on the server, which is unsafe. Normally, GET requests should not cause state changes. This flaw allows an attacker to trick a user into making unintended requests that alter data or state on the server without their consent. The issue was fixed in version 2.4.28.

Impact Analysis

The vulnerability can lead to unauthorized changes on the IRIS server by exploiting the unsafe use of GET requests to modify state. An attacker could potentially cause a user to unknowingly perform actions that alter data or configurations within the platform, which could disrupt incident response workflows or compromise the integrity of shared investigation details.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade IRIS to version 2.4.28 or later, as this version contains a patch that fixes the cross-site request forgery issue caused by using the HTTP GET method to change server state.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42543. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart