External risk intelligence

Flowsint allows attackers to take control of your systems.

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-32311

An external attacker could exploit Flowsint to take full control of the system. This allows them to steal sensitive investigation data and gain complete access to the server, resulting in a total compromise of the platform.

2Halo Surface Signal

OS Command Injection

Flowsint

External exposure likelihood

Halo Surface Signal score for CVE-2026-32311

Flowsint is an OSINT investigation platform that requires a valid user account to access its features. It is typically deployed as an internal or restricted-access web application for analysts rather than an internet-facing gateway or public service, making direct public exposure uncommon in typical deployments.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability allows an attacker to execute arbitrary operating system commands as root on the machine running the Flowints application. This is possible by creating a sketch and then triggering a specific transformation, which can lead to a Docker container escape.

  • Can affect sensitive data and systems.
  • Requires an attacker to interact with the application.

Attack Path

How an attacker could exploit the issue

An attacker could weaponize this by creating a sketch and then triggering the `org_to_asn` transform on an organization node. This would execute arbitrary OS commands as root on the host machine by exploiting shell metacharacters and a Docker container escape.

  • No authentication required.
  • Target: `org_to_asn` transform.
  • Requires sketch creation.

Live Threat

Current exploitation, exposure, and threat context

Attackers will likely be interested in weaponizing this critical vulnerability due to its potential for remote command execution as root. The ease of triggering the vulnerability by creating a sketch and performing a specific transform, combined with its network accessibility, makes it an attractive target for broad exploitation. While not yet officially listed on known exploited vulnerability catalogs, its inherent characteristics suggest a significant threat potential.

  • Public exploit availability is unknown.
  • No KEV listing observed.
  • Fix released recently.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize isolating or taking offline affected Flowsint services due to the critical severity and known vulnerability allowing remote command execution as root. Investigate logs for signs of the 'org_to_asn' transform being triggered and identify all instances of Flowsint that could be susceptible to this escape.

  • Block network access to vulnerable instances.
  • Apply patch commit b52cbbb904c8013b74308d58af88bc7dbb1b055c.
  • Monitor for suspicious root-level commands.

Frequently asked questions

What is Flowsint and how is it used?

Flowsint is an open-source tool designed for cybersecurity investigations, transparency, and verification. It allows users to manage investigations, sketches, and analyses. Users can create graphs with nodes and relationships that hold information about Open-Source Intelligence (OSINT) targets, such as usernames and websites. Automated processes called 'transformers' can be executed on these nodes.

What is the weakness class for CVE-2026-32311?

The weakness class for CVE-2026-32311 is CWE-78, which refers to the improper neutralization of special elements used in an OS command. This vulnerability allows for OS command injection.

How can an attacker exploit Flowsint via CVE-2026-32311?

An attacker can exploit this vulnerability by creating a sketch and then triggering the 'org_to_asn' transform on an organization node. This action can lead to arbitrary OS command execution as root on the host machine due to shell metacharacters and a Docker container escape. The vulnerability is not triggered by simply accessing the application, but requires specific user interaction within the tool.

Who should be concerned about CVE-2026-32311 based on Halo Surface Signal?

While Flowsint is typically used internally by analysts, the Halo Surface Signal indicates that direct public exposure is uncommon. However, given the critical nature of the vulnerability allowing remote code execution, any Flowsint deployment that could be accessed externally or is connected to sensitive internal networks should be a priority for review.

What are the first steps for responding to this Flowsint vulnerability?

The first steps for responding to this vulnerability involve isolating or taking affected Flowsint services offline. It is recommended to apply the fix by incorporating commit b52cbbb904c8013b74308d58af88bc7dbb1b055c. Additionally, investigate logs for any signs of the 'org_to_asn' transform being triggered and monitor for any suspicious commands executed at the root level.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified