Description
Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Flowsint allows a user to create investigations, which are used to manage sketches and analyses. Sketches have controllable graphs, which are comprised of nodes and relationships. The sketches contain information on an OSINT target (usernames, websites, etc) within these nodes and relationships. The nodes can have automated processes execute on them called 'transformers'. A remote attacker can create a sketch, then trigger the 'org_to_asn' transform on an organization node to execute arbitrary OS commands as root on the host machine via shell metacharacters and a docker container escape. Commit b52cbbb904c8013b74308d58af88bc7dbb1b055c appears to remove the code that causes this issue.
Published: 2026-04-20
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution with Host Escalation
Action: Immediate Patch
AI Analysis

Impact

A remote attacker who can create a sketch in Flowsint can trigger the "org_to_asn" transformer on an organization node. The transformer incorrectly includes user-controlled data in a shell command, allowing the attacker to insert shell metacharacters that result in arbitrary OS command execution as the host process’s root user. This is a classic command injection flaw (CWE-78) that also provides a pathway to escape a restricted Docker container and compromise the entire host system.

Affected Systems

The vulnerability exists in the open‑source Flowsint tool developed by reconurge. All releases prior to the commit that removed the vulnerable code (b52cbbb) are affected. No specific version numbers are listed in the advisory, so any installation that has not applied the fix is potentially exploitable.

Risk and Exploitability

The flaw receives a CVSS score of 9.3, indicating a high severity attack that can be performed remotely. The likely attack vector, inferred from the fact that the transformer is triggered through the web interface or API, is not explicitly stated in the advisory but can be reasonably assumed. No EPSS score is available, but the absence of a KEV listing does not diminish the risk; an attacker who can reach the Flowsint service can run commands with root privileges and potentially escape the Docker container. The attack would require that the vulnerable transformer be executed, making it a privilege escalation rather than a pure denial-of-service scenario.

Generated by OpenCVE AI on April 21, 2026 at 15:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch that removes the vulnerable code (commit b52cbbb) or upgrade to a Flowsint version that incorporates this fix.
  • Restrict the "org_to_asn" transformer to trusted users only or disable it for untrusted sketches to prevent arbitrary input reaching the shell.
  • Run Flowsint in a non‑privileged environment, ensuring Docker containers started by the tool do not run in privileged mode and have read‑only root filesystems to limit container escape chances.

Generated by OpenCVE AI on April 21, 2026 at 15:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Flowsint
Flowsint flowsint
CPEs cpe:2.3:a:reconurge:flowsint:*:*:*:*:*:*:*:* cpe:2.3:a:flowsint:flowsint:*:*:*:*:*:*:*:*
Vendors & Products Flowsint
Flowsint flowsint

Thu, 23 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:reconurge:flowsint:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Reconurge
Reconurge flowsint
Vendors & Products Reconurge
Reconurge flowsint

Tue, 21 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Description Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Flowsint allows a user to create investigations, which are used to manage sketches and analyses. Sketches have controllable graphs, which are comprised of nodes and relationships. The sketches contain information on an OSINT target (usernames, websites, etc) within these nodes and relationships. The nodes can have automated processes execute on them called 'transformers'. A remote attacker can create a sketch, then trigger the 'org_to_asn' transform on an organization node to execute arbitrary OS commands as root on the host machine via shell metacharacters and a docker container escape. Commit b52cbbb904c8013b74308d58af88bc7dbb1b055c appears to remove the code that causes this issue.
Title Command Injection and Docker container escape allows root on host machine
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P'}

Subscriptions

Flowsint Flowsint
Reconurge Flowsint
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-21T13:44:08.776Z

Reserved: 2026-03-11T21:16:21.660Z

Link: CVE-2026-32311

cve-icon Vulnrichment

Updated: 2026-04-21T13:43:58.019Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-20T20:16:48.653

Modified: 2026-05-21T20:31:52.157

Link: CVE-2026-32311

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:47:18Z

Weaknesses