GraphQL Authorization Bypass in DFIR-IRIS Web Collaborative Platform
CVE-2026-41522
What is CVE-2026-41522?
DFIR-IRIS, a web collaborative platform designed for incident responders, suffered from an authorization bypass due to a misconfigured GraphQL endpoint at /graphql. Before version 2.4.28, this endpoint allowed any authenticated user to exploit the system in several ways: they could read unauthorized indicators of compromise (IOCs) across cases, disclose bulk IOCs tied to different cases, and even create new cases without appropriate permissions. These security flaws stem from the lack of proper authorization checks, enabling users to access and manipulate sensitive data without regard for their assigned roles or case access control lists (ACLs). The issue has since been addressed in version 2.4.28, which removed the vulnerable GraphQL feature entirely. For users still utilizing earlier versions, it is recommended to either block access to /graphql at the reverse proxy or modify the application’s source code to prevent the GraphQL blueprint from loading.
Affected Version(s)
iris-web < 2.4.28
