MEDIUM 6.5

CVE-2026-42539: IRIS Information Disclosure Vulnerability (6.5 CVSS) – Patch to 2.4.28

IRIS is a web-based platform used by incident response teams to collaborate and share technical details during security investigations. A vulnerability in versions before 2.4.28 causes the platform to leak sensitive information to authenticated users that those users should not have access to. This happens because the application returns unnecessary data in responses, exposing information beyond what the client application actually needs to function. An attacker with valid IRIS credentials can exploit this to view restricted incident data.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-201
Affected products
0 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

IRIS is a web collaborative platform that helps incident responders share technical details during investigations. Versions prior to 2.4.28 return sensitive data to the user which are not required for the client’s operation. Version 2.4.28 contains a patch.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-42539 is an information disclosure vulnerability arising from improper data exposure in IRIS prior to version 2.4.28. The vulnerability is classified under CWE-201 (Exposure of Sensitive Information to an Unauthorized Actor) and stems from the application returning excessive sensitive data in API or interface responses to authenticated users. The CVSS 3.1 score of 6.5 (MEDIUM severity) reflects a network-accessible attack requiring valid user credentials, with no user interaction needed and no system availability impact, but with a high confidentiality consequence. The attack vector is network-based, access complexity is low, and privileges are required but assume an attacker already possesses valid account credentials.

Business impact

For organizations deploying IRIS as a collaborative incident response platform, this vulnerability risks unintended disclosure of sensitive investigation data to authorized team members who should have restricted access. In security contexts, this can lead to lateral information leakage where junior analysts, contractors, or compromised accounts view incident details beyond their assigned scope. This may violate internal access controls, compliance policies (such as need-to-know principles), or regulatory requirements around data compartmentalization. The impact is heightened if IRIS stores indicators, attack patterns, or victim information that should remain restricted to senior investigators or specific teams.

Affected systems

IRIS versions prior to 2.4.28 are affected. Version 2.4.28 and later contain the fix. The vulnerability requires the attacker to be an authenticated user of the IRIS platform, so exposure is limited to organizations running vulnerable IRIS deployments with active user bases.

Exploitability

Exploitation requires valid IRIS user credentials and network access to the platform. No special techniques, user interaction, or complex exploitation chains are needed; an authenticated attacker can trigger the vulnerability through normal platform use. The low attack complexity and lack of user interaction requirement make this straightforward to exploit once credentials are obtained. However, the requirement for prior authentication raises the bar compared to unauthenticated attacks. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, though this does not guarantee absence of weaponized exploitation in the wild.

Remediation

Organizations running IRIS should upgrade to version 2.4.28 or later immediately. This version contains the patch that prevents the oversharing of sensitive data in platform responses. Before patching, consider restricting IRIS access to a minimal set of trusted users and review access control policies to ensure users can only view incidents they are assigned to. Verify the upgrade path with your IRIS deployment method (cloud-hosted, self-hosted, containerized, etc.) and test in a staging environment first to confirm compatibility.

Patch guidance

Upgrade IRIS to version 2.4.28 or later. Consult the vendor's release notes and advisory for any breaking changes, migration steps, or configuration adjustments required during the upgrade. If you operate IRIS in a containerized or orchestrated environment, ensure your deployment pipeline pulls the patched image version. Test the upgrade in a non-production environment before rolling out to production incident response workflows to avoid disruption during active investigations.

Detection guidance

Detection strategies include: (1) audit API response logging to identify instances where users receive data objects not matching their assigned incident scope; (2) review IRIS access logs for unusual user query patterns, especially queries requesting data outside a user's normal incident assignments; (3) monitor for data exfiltration attempts by users with limited authorization; (4) implement data loss prevention (DLP) rules to flag suspicious copying or exporting of incident data; (5) compare user permissions in the IRIS database or configuration against actual data access observed in logs to identify discrepancies. Organizations without comprehensive logging may need to enable verbose application logging temporarily during investigation.

Why prioritize this

This vulnerability merits prompt but measured response. The MEDIUM severity reflects a real confidentiality risk without active exploitation in the wild (not in KEV). The requirement for authentication and the absence of availability or integrity impact limit immediate operational risk, but the nature of IRIS—handling sensitive incident response data—means even limited leakage can compromise investigation integrity or reveal tactics to unauthorized staff. Prioritize patching for IRIS instances handling high-sensitivity investigations or those with large user bases where unauthorized access is more likely.

Risk score, explained

The CVSS 3.1 score of 6.5 reflects: (1) network-accessible attack surface with low complexity, reducing barriers to exploitation; (2) requirement for valid user credentials, which moderates risk for well-controlled deployments but increases risk for organizations with broad IRIS access; (3) high confidentiality impact (users can view sensitive investigation data they should not see); (4) no integrity or availability consequences; (5) attack scope is unchanged (user remains within IRIS scope). The score appropriately elevates risk above low because information disclosure in security platforms has downstream consequences for other investigations and teams.

Frequently asked questions

Can this vulnerability be exploited without valid IRIS credentials?

No. The vulnerability requires an authenticated user account with active access to the IRIS platform. However, if a user's IRIS credentials are compromised through phishing, password reuse, or lateral movement, an attacker can immediately exploit the flaw to access sensitive incident data beyond the user's normal scope.

Does upgrading to 2.4.28 require downtime?

Upgrade procedures vary depending on your IRIS deployment method. Cloud-hosted instances may be upgraded transparently by the vendor, while self-hosted deployments typically require a service restart. Plan the upgrade during a maintenance window when active incident response workflows are not in progress, and test in a staging environment first to confirm compatibility with your custom configurations or integrations.

What should we do if we suspect sensitive incident data has already been exposed due to this vulnerability?

Review IRIS audit logs for the affected version to identify which users accessed incident data outside their normal scope, what data was viewed, and when. Notify relevant stakeholders of potential exposure and consider whether incidents that were leaked require re-assessment or notification to external parties. After patching, implement more granular access controls in IRIS to enforce the principle of least privilege.

Is this vulnerability affecting any other platforms besides IRIS?

Based on available intelligence, this vulnerability is specific to IRIS. No other platforms are currently identified as affected. However, verify this against the latest vendor advisories and your own software inventory to ensure no related products are at risk.

This analysis is based on publicly available vulnerability data and vendor advisories as of the publication date. While we strive for accuracy, no guarantee is provided regarding completeness or real-world applicability in all environments. Organizations should independently verify patch availability, compatibility, and testing results before deploying patches to production. This document does not constitute professional security advice specific to your infrastructure. Consult your IRIS vendor, systems administrators, and security team for guidance tailored to your deployment. CVSS scores represent mathematical models; business risk depends on your specific environment, access controls, and data sensitivity. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).