CVE-2026-32311 reconurge CVE debrief

Who should care

Flowsint administrators, self-hosted operators, security teams using Flowsint for OSINT investigations, and anyone exposing the application to untrusted users or networks should treat this as urgent. Because the issue is network-reachable and unauthenticated per the NVD CVSS vector, any Internet-facing deployment deserves immediate review.

Technical summary

The vulnerability is described as an OS command injection issue in the org_to_asn transform. A remote attacker can create a sketch and then trigger the transform on an organization node; shell metacharacters in the processing path allow command execution, and the advisory indicates the execution context can lead to root-level command execution plus a docker container escape. NVD classifies the weakness as CWE-78 and rates the issue 9.3/CRITICAL with CVSS:4.0 AV:N/AC:L/AT:N/PR:N/UI:N and high impact across confidentiality, integrity, and availability. The NVD CPE criteria indicates vulnerability coverage for Flowsint versions before 2025-11-17.

Defensive priority

Immediate. This is a critical, remotely reachable command-injection/RCE issue with root and container-escape impact. Prioritize patching or removing exposure before routine maintenance work.

Recommended defensive actions

• Apply the vendor fix associated with commit b52cbbb904c8013b74308d58af88bc7dbb1b055c as soon as possible.
• If you cannot patch immediately, restrict access to Flowsint to trusted users and networks only.
• Review whether untrusted users can create sketches or trigger transformers; disable or limit that capability where possible.
• Audit application and container logs for unusual sketch creation, transformer activity, or unexpected command execution around the disclosure window.
• Harden the runtime environment: run the service with least privilege, isolate containers, and verify host/container escape protections.
• Track the affected-version boundary in NVD CPE criteria and confirm your deployed build is not in the vulnerable range.

Evidence notes

This debrief is based only on the supplied NVD record, the linked GitHub security advisory, and the referenced patch commit. The corpus states that a remote attacker can create a sketch, trigger the org_to_asn transform on an organization node, and achieve arbitrary OS command execution as root, with a docker container escape. NVD lists the issue as analyzed, assigns CVSS 4.0 score 9.3, and maps the weakness to CWE-78. The source corpus does not provide a separate expanded affected-version list beyond the CPE criteria ending before 2025-11-17.

Official resources