CVE-2026-42547: IRIS Authorization Bypass Allows False Alert Creation and Customer Data Exfiltration
IRIS, a web platform used by incident response teams to collaborate and share investigation details, contains an authorization flaw in versions before 2.4.28 that allows users to create alerts falsely attributed to customers they don't manage. When combined with cross-site scripting vulnerabilities, attackers can also steal alerts belonging to other customers. This means a low-privileged user could pollute another team's alert stream with fraudulent incidents or harvest sensitive investigation data.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-863
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
IRIS is a web collaborative platform that helps incident responders share technical details during investigations. In versions prior to 2.4.28, users can create alerts for customers that are not assigned to them. This can be abused to falsely attribute fake alerts to customers. In combination with Cross-Site Scripting, this can also be used to exfiltrate alerts from other customers. Version 2.4.28 contains a patch.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-42547 is an improper access control vulnerability (CWE-863) in IRIS versions prior to 2.4.28. The platform fails to properly validate whether a user has authorization to create alerts on behalf of unassigned customers. An authenticated user with low privileges can craft requests to associate alerts with arbitrary customers, bypassing ownership checks. The vulnerability is compounded by the platform's susceptibility to reflected or stored XSS, which can be chained to exfiltrate alert contents from other customers' tenants. The CVSS 3.1 score of 5.4 (MEDIUM) reflects network-accessible exploitation requiring login credentials, with confidentiality and integrity impacts but no availability impact.
Business impact
This vulnerability creates two operational risks for incident response teams relying on IRIS. First, attackers can poison alert records with false or misleading incidents, degrading trust in the platform's data integrity and potentially triggering false investigations that waste analyst time. Second, if an attacker combines this flaw with XSS, they can exfiltrate sensitive investigation details across customer boundaries, violating data segregation assumptions and potentially exposing sensitive incident response procedures or breach details to competitors or threat actors. In multi-tenant or shared-team environments, this represents a significant cross-contamination risk.
Affected systems
IRIS versions prior to 2.4.28 are affected. Version 2.4.28 and later contain the patch. Organizations running older versions of IRIS in production should prioritize inventory and assessment. The vulnerability requires an authenticated user account, so exposure is limited to personnel with platform access, but insider threats or compromised credentials pose realistic attack vectors.
Exploitability
The vulnerability is moderately exploitable. An attacker must be authenticated to the IRIS platform—a requirement that reduces casual exploitation but does not eliminate risk in environments with weak credential controls or shared accounts. The attack is straightforward: crafting HTTP requests to create alerts with forged customer associations requires minimal technical sophistication. When combined with XSS (a separate but plausible flaw in web platforms), the exfiltration component becomes more potent. No known public exploits are indexed in CISA's KEV catalog, and this is not currently flagged as actively exploited in the wild, but the low complexity and internal-threat potential warrant proactive patching.
Remediation
Upgrade IRIS to version 2.4.28 or later immediately. This is a straightforward patch deployment with no known breaking changes. Verify against the vendor advisory for any pre-upgrade requirements. If immediate patching is not feasible, implement compensating controls: restrict IRIS access to a minimal set of trusted users, enforce strong multi-factor authentication for all platform accounts, monitor alert creation logs for anomalies (e.g., alerts created by users for unassigned customers), and conduct access reviews to revoke unnecessary permissions.
Patch guidance
Apply IRIS version 2.4.28 or later. This patch addresses the authorization bypass by validating customer ownership on alert creation. Test the patch in a non-production environment first to confirm compatibility with your incident response workflows. Verify that users can still create alerts for assigned customers and that cross-customer alert visibility is properly restricted after upgrade. Document the deployment and confirmation steps for audit purposes.
Detection guidance
Monitor IRIS application logs for the following indicators: (1) Alert creation requests where the user ID does not match the customer assignment; (2) Rapid or unusual alert creation patterns from low-privilege accounts; (3) Alerts attributed to customers with no corresponding user assignment in the access control records; (4) Access to alert data by users outside the owning customer's team. Correlate IRIS logs with authentication logs to identify compromised or shared accounts. If XSS is suspected, also search for unusual JavaScript payloads in alert titles or descriptions, and trace any exfiltration attempts to external domains via network logs.
Why prioritize this
Although the CVSS score is MEDIUM (5.4), this vulnerability should be prioritized in multi-tenant or shared-team incident response environments due to high data sensitivity. Incident response platforms are high-value targets because they contain technical details of security breaches, threat actor TTPs, and customer vulnerabilities. Cross-customer contamination or data theft could have severe reputational and legal consequences. The attack requires authentication, limiting scope to insider threats, but weak access controls or credential compromise are common. Organizations with strict customer isolation requirements or regulatory obligations (e.g., multi-customer managed security services) should treat this as high priority despite the moderate CVSS rating.
Risk score, explained
The CVSS 3.1 score of 5.4 (MEDIUM) reflects a network-accessible vulnerability requiring authentication, low attack complexity, no user interaction, and impacts to confidentiality (alert theft via XSS) and integrity (false alert creation). The score does not account for contextual risk: the sensitivity of incident response data, the potential for insider exploitation, or the compounding effect of chaining with XSS. Organizations should apply business context: if IRIS is shared across customers or teams with strict data segregation requirements, treat as HIGH priority despite the moderate CVSS.
Frequently asked questions
Do we need to patch immediately if IRIS is only used internally by our security team with no multi-tenancy?
The integrity risk (false alert creation) still applies; a malicious insider could plant fake incidents. However, the exfiltration risk is lower in single-tenant deployments. Patch within your standard change window, but prioritize higher if you have shared user accounts or weak access controls.
Can we mitigate this without upgrading?
Partial mitigation is possible via strong access controls: restrict IRIS logins to named individuals (no shared accounts), enforce MFA, monitor alert creation logs for anomalies, and conduct quarterly access reviews. However, these are not substitutes for patching; they reduce risk but do not close the authorization bypass. Upgrade to 2.4.28 as soon as feasible.
Does this vulnerability allow unauthenticated access?
No. The vulnerability requires a valid IRIS user account. This limits exposure to personnel with platform credentials or threat actors who have compromised credentials. Securing authentication (strong passwords, MFA, credential monitoring) is part of the defense strategy.
Is there public exploit code available?
There is no known public exploit code, and CISA has not flagged this CVE as actively exploited. This does not mean an exploit will not emerge; proactive patching is the best defense.
This analysis is provided for informational purposes and does not constitute professional security advice. Organizations should validate all patch versions and deployment procedures against official vendor advisories before applying updates. The effectiveness of compensating controls depends on implementation and monitoring discipline. Security leaders should conduct risk assessments tailored to their environment, data classification, and compliance obligations. This analysis does not constitute a guarantee of exploit availability, real-world attack prevalence, or patch completeness. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-10211MEDIUMAstrBot 4.23.6 Path Normalization Authorization Bypass
- CVE-2026-10616MEDIUMAuthorization Bypass in nextlevelbuilder GoClaw Task Completion
- CVE-2026-10815MEDIUMAuthorization Bypass in Hostel Management System PHP
- CVE-2026-10860MEDIUMMISP Delete Validation Bypass – Logic Error in HTTP DELETE Handler
- CVE-2026-32906MEDIUMOpenClaw Privilege Escalation in Slack Plugin Approvals
- CVE-2026-34507MEDIUMOpenClaw QQBot Admin Command Policy Bypass (CVSS 5.4)
- CVE-2026-35673MEDIUMOpenClaw SSRF Policy Bypass in Debug and Export Routes
- CVE-2026-40914MEDIUMApache Artemis STOMP Protocol Authorization Bypass