CVE-2026-44352 Overview
CVE-2026-44352 is a Broken Access Control vulnerability [CWE-284] in Flowsint, an open-source Open Source Intelligence (OSINT) graph exploration tool used for cybersecurity investigation, transparency, and verification. Versions prior to 1.2.3 allow an authenticated user to read sketch logs belonging to any other user. The maintainer fixed the issue in version 1.2.3.
The flaw enables unauthorized access to investigation artifacts that may contain sensitive OSINT findings, target identifiers, and analyst notes. Exploitation requires only low-privileged authenticated access over the network.
Critical Impact
Authenticated attackers can read sketch logs belonging to any Flowsint user, exposing OSINT investigation data across tenants.
Affected Products
- Flowsint versions prior to 1.2.3
- Reference: GitHub Security Advisory GHSA-9r98-g8q5-cpq5
Discovery Timeline
- 2026-05-12 - CVE-2026-44352 published to the National Vulnerability Database (NVD)
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-44352
Vulnerability Analysis
Flowsint stores per-user sketch logs that record activity from OSINT graph investigations. The application fails to enforce object-level authorization when serving these logs. An authenticated user can request another user's sketch log identifiers and receive their contents.
This is a classic Broken Access Control pattern [CWE-284], specifically an Insecure Direct Object Reference (IDOR). The server validates that the requester is authenticated but does not verify that the requester owns the requested resource. The vulnerability is confidentiality-impacting only; integrity and availability are not affected.
Because Flowsint is used for cybersecurity investigations, exposed logs may reveal investigation targets, pivot points, and tradecraft. Attackers gaining low-privileged credentials, including through self-registration on multi-tenant deployments, can harvest other analysts' work.
Root Cause
The root cause is a missing authorization check on the endpoint that returns sketch logs. The application relies on client-supplied identifiers without cross-referencing the authenticated session against resource ownership. Refer to the GitHub Security Advisory for code-level details.
Attack Vector
The attack vector is network-based and requires low-privilege authentication. An attacker authenticates to the Flowsint application, enumerates or guesses sketch log identifiers belonging to other users, and submits requests to the vulnerable endpoint. The server returns log contents without validating ownership.
No exploit code is publicly available at the time of writing, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog.
Detection Methods for CVE-2026-44352
Indicators of Compromise
- Application access logs showing a single authenticated session requesting sketch log resources associated with multiple distinct user accounts
- Sequential or enumeration-style access patterns against sketch log endpoints
- Spikes in GET requests to sketch log routes outside normal investigator workflows
Detection Strategies
- Correlate authenticated session identifiers with the owner of each requested sketch log; flag mismatches
- Implement server-side audit logging on every sketch log retrieval, including requester user ID and resource owner user ID
- Alert on log retrieval volume that exceeds a per-user baseline
Monitoring Recommendations
- Forward Flowsint application and reverse-proxy logs to a centralized Security Information and Event Management (SIEM) platform for cross-user access analysis
- Monitor for anomalous authentication followed by rapid sequential resource requests
- Review accounts created shortly before bulk sketch log access events
How to Mitigate CVE-2026-44352
Immediate Actions Required
- Upgrade Flowsint to version 1.2.3 or later without delay
- Audit application access logs for unauthorized cross-user sketch log retrieval since deployment
- Rotate credentials and review tenant separation if shared multi-user instances are in use
- Restrict network exposure of Flowsint to trusted analyst networks until patching is complete
Patch Information
The maintainer released a fix in Flowsint 1.2.3. Upgrade instructions and the security advisory are available at the GitHub Security Advisory GHSA-9r98-g8q5-cpq5.
Workarounds
- Limit Flowsint access to a single trusted user or analyst group until version 1.2.3 is deployed
- Place the application behind an authenticating reverse proxy that restricts access to known administrators
- Disable self-registration features if exposed, to prevent untrusted account creation
# Upgrade Flowsint to the patched release
git fetch --tags
git checkout v1.2.3
# Rebuild and restart the application per project documentation
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
