CVE-2026-41522— Iris 授权问题漏洞

Iris has an Improper Authorization issue

Iris is a web collaborative platform that helps incident responders share technical details during investigations. Prior to version 2.4.28, DFIR-IRIS exposes an optional GraphQL endpoint at `/graphql` that does not enforce the same authorization checks as the REST API. Any authenticated user can abuse it in three ways: unauthorized IOC read across cases (IDOR), bulk IOC disclosure via `case.iocs`. The `case(caseId: …).iocs` resolver returns IOCs linked to an arbitrary case without verifying the caller has access to that case, and unauthorized case creation. All three are reachable by any authenticated user, regardless of role or case ACL. This is fixed in v2.4.28. The GraphQL blueprint, resolvers, and dependencies (`graphene`, `graphene-sqlalchemy`, `graphql-server[flask]`) were removed entirely, since the feature was not in use. As a workaround, block `/graphql` at the reverse proxy (recommended) or comment out the `graphql_blueprint` import and `register_blueprint` call in `source/app/views.py` and restart.

N/A

授权机制不恰当

Iris 授权问题漏洞

Iris是DFIR-IRIS开源的一个快速、简单但功能齐全且非常高效的 Go 网络框架。 Iris 2.4.28之前版本存在授权问题漏洞，该漏洞源于GraphQL端点未强制执行授权检查，可能导致未授权IOC读取、批量IOC泄露和未授权案例创建。

N/A

N/A