CVE-2026-42158 Overview
CVE-2026-42158 is a broken access control vulnerability in Flowsint, an open-source Open Source Intelligence (OSINT) graph exploration tool used for cybersecurity investigation, transparency, and verification. The flaw exists in versions prior to 1.2.3. An authenticated adversary who knows the identifier of another user's investigation can modify that investigation's metadata. The issue is tracked under CWE-284: Improper Access Control and is fixed in Flowsint 1.2.3.
Critical Impact
Authenticated users can tamper with metadata belonging to investigations owned by other users, undermining the integrity of OSINT case data.
Affected Products
- Flowsint versions prior to 1.2.3
- Multi-user Flowsint deployments where investigation IDs are guessable or known
- Open-source OSINT pipelines that rely on Flowsint investigation metadata for integrity
Discovery Timeline
- 2026-05-12 - CVE-2026-42158 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-42158
Vulnerability Analysis
Flowsint manages OSINT investigations as discrete records, each identified by an investigation ID. Endpoints that update investigation metadata fail to verify that the requesting user owns the targeted investigation. The server trusts the supplied investigation ID and applies the update without authorization checks. This is a horizontal privilege escalation pattern within an authenticated context.
The consequence is loss of integrity of investigation metadata. An attacker cannot read confidential investigation contents through this flaw, and availability is not affected. However, an adversary can alter labels, descriptions, or other metadata fields, which can mislead analysts and contaminate downstream OSINT workflows. The flaw maps to CWE-284. Refer to the GitHub Security Advisory GHSA-5h6v-5hv3-3jjw for vendor details.
Root Cause
The root cause is a missing ownership check on the investigation update path. The application accepts an investigation ID supplied by an authenticated client and processes the metadata update without comparing the record's owner to the session user. This is a classic Insecure Direct Object Reference (IDOR) pattern under the broader [CWE-284] category.
Attack Vector
Exploitation requires network access to a Flowsint instance and a valid low-privilege account. The attacker must know or guess a target investigation ID. The attacker then issues a metadata update request referencing the foreign investigation ID. No user interaction by the victim is required. No verified proof-of-concept exploit code is published; see the vendor advisory for technical details.
Detection Methods for CVE-2026-42158
Indicators of Compromise
- Investigation metadata changes recorded against records the acting user does not own
- Update requests targeting investigation IDs that do not appear in the user's prior session history
- Unexpected modification timestamps on investigations belonging to other analysts
Detection Strategies
- Review Flowsint application and database audit logs for update operations on investigation metadata where the actor differs from the investigation owner
- Compare HTTP request logs for metadata update endpoints against the session user's owned investigation IDs
- Alert on enumeration patterns where a single user references many distinct investigation IDs within a short time window
Monitoring Recommendations
- Enable verbose request logging on Flowsint update endpoints and ship logs to a centralized SIEM
- Track and baseline per-user investigation ID access patterns to flag deviations
- Monitor authentication events alongside investigation modification events to correlate suspicious activity
How to Mitigate CVE-2026-42158
Immediate Actions Required
- Upgrade Flowsint to version 1.2.3 or later on all instances
- Audit existing investigations for unexpected metadata changes since deployment
- Rotate any shared or guessable investigation IDs if the deployment exposes them in URLs or exports
Patch Information
The vendor fixed this issue in Flowsint 1.2.3. Deploy the upgrade from the official repository and verify version after installation. Full remediation details are documented in the GitHub Security Advisory GHSA-5h6v-5hv3-3jjw.
Workarounds
- Restrict Flowsint access to trusted users only until the upgrade is applied
- Place Flowsint behind an authenticating reverse proxy that enforces additional access controls
- Disable shared accounts and enforce per-user authentication to preserve audit attribution
# Verify the installed Flowsint version after upgrade
flowsint --version
# Expected output: 1.2.3 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
