CVE-2026-32311
Received Received - Intake
Remote Code Execution via org_to_asn Transform in Flowsint

Publication date: 2026-04-20

Last updated on: 2026-04-23

Assigner: GitHub, Inc.

Description
Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Flowsint allows a user to create investigations, which are used to manage sketches and analyses. Sketches have controllable graphs, which are comprised of nodes and relationships. The sketches contain information on an OSINT target (usernames, websites, etc) within these nodes and relationships. The nodes can have automated processes execute on them called 'transformers'. A remote attacker can create a sketch, then trigger the 'org_to_asn' transform on an organization node to execute arbitrary OS commands as root on the host machine via shell metacharacters and a docker container escape. Commit b52cbbb904c8013b74308d58af88bc7dbb1b055c appears to remove the code that causes this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-20
Last Modified
2026-04-23
Generated
2026-05-07
AI Q&A
2026-04-20
EPSS Evaluated
2026-05-05
NVD
CVE-2026-32311
EUVD
EUVD-2026-23946
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
reconurge flowsint to 2025-11-17 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-32311 is a critical vulnerability in Flowsint, an open-source OSINT graph exploration tool. The issue arises from the 'org_to_asn' transformer, which improperly handles user input by directly interpolating it into a shell command executed with Python's subprocess module using shell=True. This allows a remote attacker to inject shell metacharacters and execute arbitrary OS commands as root on the host machine.

The vulnerability is worsened by the fact that the Docker socket is mounted inside the container, enabling an attacker who gains shell access to escape the Docker container and execute commands on the host with root privileges by launching a new privileged Docker container with host filesystem mounts and elevated capabilities.


How can this vulnerability impact me? :

This vulnerability can lead to complete root access on the host machine running Flowsint, resulting in full system compromise.

  • Confidentiality breach by unauthorized access to sensitive data.
  • Service disruption through malicious actions or system manipulation.
  • Installation of malware or other malicious software.
  • Execution of arbitrary commands with root privileges, including escaping the Docker container to control the host system.

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring for suspicious usage of the `org_to_asn` transformer in Flowsint, especially POST requests to the endpoint `/api/transformers/org_to_asn/launch` containing unusual or suspicious payloads in the `values` field.

Since the vulnerability involves command injection via shell metacharacters, detection can include looking for unexpected shell commands or reverse shell attempts originating from the Flowsint host.

You can check for suspicious processes or network connections that may indicate exploitation, such as unexpected Docker container launches or reverse shell connections.

  • Monitor HTTP logs for POST requests to `/api/transformers/org_to_asn/launch` with suspicious payloads.
  • Use commands like `ps aux | grep docker` to detect unexpected Docker containers running with elevated privileges.
  • Check network connections for unusual outbound connections using `netstat -tulnp` or `ss -tulnp`.
  • Inspect running processes for suspicious commands or shells spawned by Flowsint.

What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include updating Flowsint to the fixed version that removes the vulnerable code and replaces the unsafe subprocess call with a secure API key authenticated method.

Specifically, apply the patch from commit b52cbbb904c8013b74308d58af88bc7dbb1b055c which removes the shell command execution and requires an API key for ASN lookups, preventing command injection.

Until the patch is applied, restrict access to the Flowsint service to trusted users only and monitor for suspicious activity.

Additionally, consider removing or restricting Docker socket access inside the container to prevent container escape.

  • Update Flowsint to the patched version containing commit b52cbbb904c8013b74308d58af88bc7dbb1b055c.
  • Restrict network access to Flowsint API endpoints.
  • Remove or restrict Docker socket mounting inside the Flowsint container.
  • Monitor logs and network activity for signs of exploitation.

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability in Flowsint allows a remote attacker to execute arbitrary OS commands as root on the host machine, leading to full system compromise including confidentiality breaches and arbitrary malicious actions.

Such a compromise can result in unauthorized access to sensitive data, which may violate data protection regulations like GDPR and HIPAA that require strict controls on data confidentiality and integrity.

Therefore, this vulnerability poses a significant risk to compliance with these standards by potentially exposing protected information and failing to maintain required security safeguards.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart