CVE-2026-42543
Cross-Site Request Forgery in IRIS Platform
Publication date: 2026-06-04
Last updated on: 2026-06-04
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| iris | iris | to 2.4.28 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-650 | The server contains a protection mechanism that assumes that any URI that is accessed using HTTP GET will not cause a state change to the associated resource. This might allow attackers to bypass intended access restrictions and conduct resource modification and deletion attacks, since some applications allow GET to modify state. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects IRIS, a web collaborative platform used by incident responders. Versions prior to 2.4.28 are vulnerable to a cross-site request forgery (CSRF) attack because they use the HTTP GET method to change the state on the server, which is unsafe. Normally, GET requests should not cause state changes. This flaw allows an attacker to trick a user into making unintended requests that alter data or state on the server without their consent. The issue was fixed in version 2.4.28.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized changes on the IRIS server by exploiting the unsafe use of GET requests to modify state. An attacker could potentially cause a user to unknowingly perform actions that alter data or configurations within the platform, which could disrupt incident response workflows or compromise the integrity of shared investigation details.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade IRIS to version 2.4.28 or later, as this version contains a patch that fixes the cross-site request forgery issue caused by using the HTTP GET method to change server state.