GraphQL Authorization Bypass in DFIR-IRIS Web Collaborative Platform
CVE-2026-41522

7.1HIGH

Key Information:

Vendor

Dfir-iris

Status
Vendor
CVE Published:
4 June 2026

What is CVE-2026-41522?

DFIR-IRIS, a web collaborative platform designed for incident responders, suffered from an authorization bypass due to a misconfigured GraphQL endpoint at /graphql. Before version 2.4.28, this endpoint allowed any authenticated user to exploit the system in several ways: they could read unauthorized indicators of compromise (IOCs) across cases, disclose bulk IOCs tied to different cases, and even create new cases without appropriate permissions. These security flaws stem from the lack of proper authorization checks, enabling users to access and manipulate sensitive data without regard for their assigned roles or case access control lists (ACLs). The issue has since been addressed in version 2.4.28, which removed the vulnerable GraphQL feature entirely. For users still utilizing earlier versions, it is recommended to either block access to /graphql at the reverse proxy or modify the application’s source code to prevent the GraphQL blueprint from loading.

Affected Version(s)

iris-web < 2.4.28

References

CVSS V4

Score:
7.1
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.