Cyber Resilience

CVE-2026-22783

Critical

Published: 12 January 2026

Published
12 January 2026
Modified
16 January 2026
KEV Added
Patch
CVSS Score v3.1 9.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H
EPSS Score 0.0030 21.3th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-22783 is a critical-severity External Control of File Name or Path (CWE-73) vulnerability in Dfir-Iris Iris. Its CVSS base score is 9.6 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-22783 affects the DFIR-IRIS datastore file management system in Iris, a web collaborative platform used by incident responders to share technical details during investigations. Prior to version 2.4.24, the vulnerability stems from mass assignment of the file_local_name field combined with insufficient path validation in the delete operation, linked to CWEs-73 (External Control of File Name or Path), CWE-434 (Unrestricted Upload of File with Dangerous Type), and CWE-915 (Improperly Controlled Modification of Dynamically-Determined Object Attributes). This flaw enables authenticated users to manipulate file metadata and target arbitrary filesystem paths for deletion. The issue carries a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H), highlighting its critical severity due to high integrity and availability impacts in a changed scope.

An attacker with authenticated access (low privileges required) can exploit this through a three-step chain: first, upload a file to the datastore; second, use mass assignment to update the file's file_local_name field to an arbitrary filesystem path; third, trigger the delete operation, which trusts the modified path and removes the targeted file without validation. Successful exploitation allows arbitrary file deletion on the server, potentially disrupting Iris operations, erasing critical incident response data, or affecting underlying system files, with network-based access and no user interaction needed.

The vulnerability is addressed in Iris version 2.4.24, as detailed in the project's GitHub security advisory (GHSA-qhqj-8qw6-wp8v) and the fixing commit (57c1b80494bac187893aebc6d9df1ce6e56485b7). Security practitioners should upgrade to 2.4.24 or later to mitigate the issue, reviewing access controls for authenticated users in DFIR environments.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Iris is a web collaborative platform that helps incident responders share technical details during investigations. Prior to 2.4.24, the DFIR-IRIS datastore file management system has a vulnerability where mass assignment of the file_local_name field combined with path trust in the…

more

delete operation enables authenticated users to delete arbitrary filesystem paths. The vulnerability manifests through a three-step attack chain: authenticated users upload a file to the datastore, update the file's file_local_name field to point to an arbitrary filesystem path through mass assignment, then trigger the delete operation which removes the target file without path validation. This vulnerability is fixed in 2.4.24.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1485 Data Destruction Impact
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
T1070.004 File Deletion Stealth
Adversaries may delete files left behind by the actions of their intrusion activity.
Why these techniques?

Vuln in web-accessible DFIR app directly enables remote exploitation for arbitrary file deletion (T1190), supporting data destruction (T1485) and indicator/file removal (T1070.004).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-31939Shared CWE-73
CVE-2026-28442Shared CWE-73
CVE-2024-12267Shared CWE-73
CVE-2026-26360Shared CWE-73
CVE-2025-10494Shared CWE-73
CVE-2025-0105Shared CWE-73
CVE-2025-10058Shared CWE-73
CVE-2025-12529Shared CWE-73
CVE-2025-9048Shared CWE-73
CVE-2026-5809Shared CWE-73

Affected Assets

dfir-iris
iris
≤ 2.4.24

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates mass assignment of the file_local_name field by requiring validation of inputs to prevent specification of arbitrary filesystem paths.

prevent

Enforces approved access authorizations to ensure delete operations validate paths and prevent removal of unauthorized filesystem resources.

prevent

Limits impact of path manipulation exploits by restricting authenticated users to least privilege necessary for legitimate file operations.

References