CVE-2026-22783 is a critical security vulnerability identified in the iris-web component of the dfir-iris platform, a collaborative tool used by incident responders to share investigation details. The vulnerability exists in versions prior to 2.4.24 and involves an unsafe file management mechanism in the datastore. Specifically, the file_local_name field can be mass assigned by an authenticated user, allowing them to set this field to an arbitrary filesystem path. When the delete operation is invoked, it trusts the file_local_name path without proper validation or sanitization, enabling deletion of arbitrary files or directories on the server. The attack chain requires three steps: first, an authenticated user uploads a file to the datastore; second, they update the file_local_name field to point to a target filesystem path; third, they trigger the delete operation, which removes the targeted file or directory. This leads to a loss of integrity and availability of critical files, potentially disrupting the platform’s operation or tampering with forensic data. The vulnerability is remotely exploitable over the network with low attack complexity, requiring only authenticated access and no user interaction. The CVSS v3.1 score is 9.6 (critical), reflecting the high impact on integrity and availability with network vector and low privileges required. The vulnerability is related to CWE-434 (Unrestricted Upload of File with Dangerous Type), CWE-915 (Improperly Controlled Modification of Object Prototype Attributes), and CWE-73 (External Control of File Name or Path). No known exploits are reported in the wild yet, but the severity and ease of exploitation make it a high-risk issue. The vendor has fixed the vulnerability in iris-web version 2.4.24.

For European organizations, this vulnerability poses a significant risk to the integrity and availability of their incident response infrastructure. Since iris-web is used to manage and share sensitive forensic data, arbitrary deletion of files could result in loss or tampering of critical investigation evidence, undermining incident response efforts and compliance with regulatory requirements such as GDPR. Disruption of the platform could delay or prevent timely response to security incidents, increasing exposure to further attacks. The vulnerability requires authenticated access, so insider threats or compromised user accounts could be leveraged to exploit it. Given the collaborative nature of iris-web, multiple users may have access, increasing the attack surface. Organizations relying on iris-web for digital forensics and incident management must consider the operational impact of potential data loss or service disruption. Additionally, the deletion of system or application files could lead to denial of service, requiring recovery efforts and causing downtime. The critical severity and network exploitability mean that attackers could weaponize this vulnerability to sabotage investigations or disrupt security operations across European entities.

The primary mitigation is to upgrade iris-web to version 2.4.24 or later, where the vulnerability is fixed. Until patching is possible, organizations should restrict access to iris-web to trusted users only and enforce strict authentication and authorization controls to minimize the risk of exploitation by insiders or compromised accounts. Implement monitoring and alerting on file deletion operations within the iris-web datastore to detect suspicious activity. Employ network segmentation and firewall rules to limit access to the iris-web platform from untrusted networks. Conduct regular audits of user permissions and review logs for anomalous behavior related to file uploads and deletions. Consider deploying application-layer protections such as web application firewalls (WAFs) that can detect and block suspicious mass assignment or path manipulation attempts. Educate users about the risks of credential compromise and enforce strong password policies and multi-factor authentication to reduce the likelihood of unauthorized access. Finally, maintain regular backups of iris-web data and system files to enable recovery in case of malicious deletion.