MEDIUM 4.3

CVE-2026-42543: IRIS CSRF Vulnerability – Patch to 2.4.28

IRIS, a web-based platform used by incident responders to collaborate and share technical details during investigations, contains a cross-site request forgery (CSRF) vulnerability in versions prior to 2.4.28. The vulnerability exists because the platform uses HTTP GET requests to perform state-changing actions on the server—a design flaw that allows an attacker to trick authenticated users into unknowingly executing unwanted actions. An attacker could craft a malicious link or webpage that, when visited by an IRIS user, silently modifies data or settings without the user's knowledge or consent.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Weaknesses (CWE)
CWE-650
Affected products
0 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

IRIS is a web collaborative platform that helps incident responders share technical details during investigations. Versions prior to 2.4.28 are vulnerable to a cross-site request forgery attack, because they use the HTTP method `GET` to change state on the server. Version 2.4.28 contains a patch.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability (CVE-2026-42543) is classified as CWE-650 (Insecure Direct Object References and State-Change Requests via GET). IRIS versions before 2.4.28 fail to enforce the fundamental web security principle of using POST, PUT, or DELETE methods for operations that change server state. Instead, state-modifying actions are performed via GET requests, which are trivial to trigger via cross-site means. This allows an unauthenticated attacker to craft a request that, when executed in the browser context of an authenticated IRIS user, results in unauthorized state changes. The CVSS 3.1 score of 4.3 (MEDIUM) reflects limited impact—integrity is compromised but confidentiality and availability are not directly affected—and the requirement for user interaction (visiting a malicious link).

Business impact

The integrity of incident response investigations could be compromised if attackers manipulate case data, modify findings, or alter collaboration artifacts without proper authorization trails. For security teams relying on IRIS to coordinate breach investigations or forensic activities, unauthorized state changes could introduce confusion, obscure the true timeline of events, or lead to incorrect conclusions. While direct data exfiltration is not a concern, the reputational and operational risk of corrupted investigation records is material, particularly in regulated environments requiring audit trails and evidence integrity.

Affected systems

IRIS versions prior to 2.4.28 are vulnerable. Version 2.4.28 and later contain the patch. Organizations running earlier versions, especially those deployed as central collaboration hubs for incident response, are at risk. The vulnerability does not require network proximity or special privileges to exploit—any web-accessible IRIS instance is a potential target if users can be socially engineered or exposed to attacker-controlled content.

Exploitability

Exploitability is moderate. The attack requires user interaction (the target must click a link or visit a malicious website while authenticated to IRIS), which reduces the likelihood of large-scale automated exploitation. However, social engineering is straightforward, and incident responders may be more likely than typical users to follow links from seemingly trusted sources during active investigations. The attack leaves minimal forensic evidence if not carefully logged, and there is no requirement for authentication bypass or complex technical manipulation—only abuse of the insecure GET-based state changes.

Remediation

Upgrade IRIS to version 2.4.28 or later immediately. Version 2.4.28 contains the necessary patch to enforce proper HTTP methods for state-changing operations. Organizations unable to upgrade immediately should implement compensating controls, such as Content Security Policy (CSP) headers to restrict cross-origin requests, or educate users to avoid clicking untrusted links while authenticated. Verify compatibility with your deployment before upgrading.

Patch guidance

Deploy version 2.4.28 or later. Before upgrading in production, test the patch in a non-production environment to confirm functionality and compatibility with any custom integrations or plugins. Review the IRIS release notes for version 2.4.28 to understand any configuration changes or deprecations. Once deployed, confirm that state-changing actions now use appropriate HTTP methods (POST, PUT, DELETE) rather than GET.

Detection guidance

Monitor web server and application logs for suspicious patterns: repeated GET requests from external origins targeting state-change endpoints, unusual referrer headers, or GET requests containing action parameters (e.g., 'action=delete' or 'action=modify'). Implement logging of all state-change operations with user identity and HTTP method. Review IRIS audit logs for unexplained changes to case data, findings, or user permissions. If possible, correlate authentication timestamps with state-change events to identify requests executed outside normal user behavior patterns.

Why prioritize this

This vulnerability should be prioritized for patching in the next maintenance window, but not emergency escalation. The CVSS score of 4.3 (MEDIUM) and lack of KEV designation reflect the requirement for user interaction and limited scope of compromise. However, the nature of IRIS as a central incident response collaboration platform means that compromised data integrity could have downstream investigation impacts. Organizations relying heavily on IRIS for critical incident coordination should patch sooner; those with lighter usage may consolidate patching with standard update cycles.

Risk score, explained

The CVSS 3.1 score of 4.3 (MEDIUM) accounts for: network accessibility (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and user interaction needed (UI:R). Impact is confined to integrity (I:L) with no confidentiality or availability loss. The score appropriately reflects that while the vulnerability is easy to exploit, the damage is limited to unauthorized state changes rather than data breach or system outage. Organizations with strict change control and audit logging may experience lower real-world risk than the base score suggests.

Frequently asked questions

Can an attacker steal incident data via this vulnerability?

No. This is a state-modification vulnerability, not a data exfiltration vector. An attacker can change data or settings, but cannot directly read confidential information from IRIS. The risk is to data integrity and consistency of the investigation record, not confidentiality.

Do our users need to do anything besides the upgrade?

After the upgrade to version 2.4.28, the vulnerability is patched. Users do not need to change passwords or take additional action. However, it is advisable to review the audit log for any suspicious state changes that may have occurred before the patch was applied.

Is this vulnerability exploited in the wild?

No. CVE-2026-42543 is not currently listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, indicating no confirmed active exploitation has been reported as of the vulnerability publication date. However, the low complexity and social engineering potential mean exploitation could begin at any time.

What if we cannot upgrade immediately?

Implement temporary controls: restrict IRIS access to a VPN or trusted network, educate staff to avoid suspicious links while authenticated, deploy web application firewalls (WAF) to block cross-origin GET requests to sensitive endpoints, and monitor logs closely for anomalies. These are not substitutes for patching but can reduce risk until version 2.4.28 is deployed.

This analysis is based on the CVE record and vendor advisory current as of publication. CVSS scores are computed by NIST and MITRE; severity classifications may vary by organizational risk model. Recommendations assume standard IRIS deployments; custom configurations may require different controls. Organizations should verify patch compatibility in their environment before production deployment. This intelligence is provided for informational purposes to support vulnerability management decisions and does not constitute professional security advice. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).