Skip to main content

Deerflow CVE-2026-34430

| EUVDEUVD-2026-17903 HIGH
Incomplete List of Disallowed Inputs (CWE-184)
2026-04-01 disclosure@vulncheck.com
8.6
CVSS 4.0 · Vendor: vulncheck
Share

Severity by source

Vendor (vulncheck) PRIMARY
8.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (vulncheck) · only source for this CVE.

CVSS VectorVendor: vulncheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:09 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
92c7a20cb74addc3038d2131da78f2e239ef542e
EUVD ID Assigned
Apr 01, 2026 - 14:22 euvd
EUVD-2026-17903
Analysis Generated
Apr 01, 2026 - 14:22 vuln.today
CVE Published
Apr 01, 2026 - 14:16 nvd
HIGH 8.6

DescriptionCVE.org

ByteDance Deer-Flow versions prior to commit 92c7a20 contain a sandbox escape vulnerability in bash tool handling that allows attackers to execute arbitrary commands on the host system by bypassing regex-based validation using shell features such as directory changes and relative paths. Attackers can exploit the incomplete shell semantics modeling to read and modify files outside the sandbox boundary and achieve arbitrary command execution through subprocess invocation with shell interpretation enabled.

AnalysisAI

Sandbox escape in ByteDance Deer-Flow (pre-commit 92c7a20) enables remote attackers to execute arbitrary commands on the host system by exploiting incomplete shell semantics validation in bash tool handling. Attackers bypass regex-based input filters using directory traversal and relative paths to break sandbox isolation, read/modify host files, and invoke subprocesses with shell interpretation. Authentication requirements not confirmed from available data. No public exploit identified at time of analysis, though detailed technical advisory exists.

Technical ContextAI

ByteDance Deer-Flow is a workflow orchestration platform that implements sandbox isolation for bash tool execution. The vulnerability stems from CWE-184 (Incomplete List of Disallowed Inputs), where regex-based validation fails to account for complete shell semantics. The sandbox provider attempts to restrict bash command execution but does not properly model shell features including directory change operations (cd), relative path resolution (../, ./), and subprocess invocation patterns. When shell=True is enabled in subprocess calls, attackers can craft payloads that appear benign to the regex validator but leverage shell interpretation features to escape the intended execution boundary. This represents a classic input validation bypass where blocklist-based filtering proves insufficient against the complexity of shell command parsing and execution contexts.

RemediationAI

Upgrade ByteDance Deer-Flow to commit 92c7a20cb74addc3038d2131da78f2e239ef542e or later to eliminate the sandbox escape vulnerability. The fix is available via GitHub pull request 1547 (https://github.com/bytedance/deer-flow/pull/1547) with the corrected validation logic in commit 92c7a20 (https://github.com/bytedance/deer-flow/commit/92c7a20cb74addc3038d2131da78f2e239ef542e). Organizations unable to immediately patch should implement defense-in-depth controls including: restricting network access to Deer-Flow instances to trusted users only, implementing additional input validation at the application layer before workflow submission, applying principle of least privilege to the user accounts running Deer-Flow processes, and monitoring for suspicious bash command patterns in workflow logs (directory traversal sequences, unusual subprocess invocations). Review existing workflows for potential malicious payloads if compromise is suspected. Consult the detailed technical analysis at VulnCheck advisory for specific attack patterns to audit.

Share

CVE-2026-34430 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy