Skip to content

Arbitrary File Deletion via Mass Assignment in Datastore File Management

Critical
whikernel published GHSA-qhqj-8qw6-wp8v Jan 11, 2026

Package

iris-web

Affected versions

< 2.4.24

Patched versions

2.4.24

Description

Impact

A security vulnerability has been identified in the DFIR-IRIS datastore file management system where mass assignment of the
file_local_name field combined with path trust in the delete operation enables authenticated users to delete arbitrary filesystem
paths. This vulnerability builds upon the previously identified mass assignment weakness in the same schema, demonstrating how
field-level access control failures can cascade into destructive operations.
The vulnerability manifests through a three-step attack chain: authenticated users upload a file to the datastore, update the file's
file_local_name field to point to an arbitrary filesystem path through mass assignment, then trigger the delete operation which
removes the target file without path validation.
Both the system compromise and operational disruption become possible because the delete operation trusts database-stored
paths without re-validation, assuming they are system-generated UUID-based paths. Mass assignment bypasses this assumption
entirely.

Patches

Issued in 2.4.24

Workarounds

None

Severity

Critical

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Changed
Confidentiality
None
Integrity
High
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H

CVE ID

CVE-2026-22783

Weaknesses

External Control of File Name or Path

The product allows user input to control or influence paths or file names that are used in filesystem operations. Learn more on MITRE.

Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. Learn more on MITRE.

Improperly Controlled Modification of Dynamically-Determined Object Attributes

The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified. Learn more on MITRE.

Credits