CVE-2026-22783
Published: 12 January 2026
Summary
CVE-2026-22783 is a critical-severity External Control of File Name or Path (CWE-73) vulnerability in Dfir-Iris Iris. Its CVSS base score is 9.6 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates mass assignment of the file_local_name field by requiring validation of inputs to prevent specification of arbitrary filesystem paths.
Enforces approved access authorizations to ensure delete operations validate paths and prevent removal of unauthorized filesystem resources.
Limits impact of path manipulation exploits by restricting authenticated users to least privilege necessary for legitimate file operations.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vuln in web-accessible DFIR app directly enables remote exploitation for arbitrary file deletion (T1190), supporting data destruction (T1485) and indicator/file removal (T1070.004).
NVD Description
Iris is a web collaborative platform that helps incident responders share technical details during investigations. Prior to 2.4.24, the DFIR-IRIS datastore file management system has a vulnerability where mass assignment of the file_local_name field combined with path trust in the…
more
delete operation enables authenticated users to delete arbitrary filesystem paths. The vulnerability manifests through a three-step attack chain: authenticated users upload a file to the datastore, update the file's file_local_name field to point to an arbitrary filesystem path through mass assignment, then trigger the delete operation which removes the target file without path validation. This vulnerability is fixed in 2.4.24.
Deeper analysisAI
CVE-2026-22783 affects the DFIR-IRIS datastore file management system in Iris, a web collaborative platform used by incident responders to share technical details during investigations. Prior to version 2.4.24, the vulnerability stems from mass assignment of the file_local_name field combined with insufficient path validation in the delete operation, linked to CWEs-73 (External Control of File Name or Path), CWE-434 (Unrestricted Upload of File with Dangerous Type), and CWE-915 (Improperly Controlled Modification of Dynamically-Determined Object Attributes). This flaw enables authenticated users to manipulate file metadata and target arbitrary filesystem paths for deletion. The issue carries a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H), highlighting its critical severity due to high integrity and availability impacts in a changed scope.
An attacker with authenticated access (low privileges required) can exploit this through a three-step chain: first, upload a file to the datastore; second, use mass assignment to update the file's file_local_name field to an arbitrary filesystem path; third, trigger the delete operation, which trusts the modified path and removes the targeted file without validation. Successful exploitation allows arbitrary file deletion on the server, potentially disrupting Iris operations, erasing critical incident response data, or affecting underlying system files, with network-based access and no user interaction needed.
The vulnerability is addressed in Iris version 2.4.24, as detailed in the project's GitHub security advisory (GHSA-qhqj-8qw6-wp8v) and the fixing commit (57c1b80494bac187893aebc6d9df1ce6e56485b7). Security practitioners should upgrade to 2.4.24 or later to mitigate the issue, reviewing access controls for authenticated users in DFIR environments.
Details
- CWE(s)