Skip to main content

Deer Flow CVE-2026-40518

| EUVDEUVD-2026-23456 HIGH
Path Traversal (CWE-22)
2026-04-17 VulnCheck
7.1
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (VulnCheck) · only source for this CVE.

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

6
Re-analysis Queued
Apr 17, 2026 - 19:07 vuln.today
cvss_changed
Analysis Generated
Apr 17, 2026 - 17:33 vuln.today
EUVD ID Assigned
Apr 17, 2026 - 17:15 euvd
EUVD-2026-23456
Analysis Generated
Apr 17, 2026 - 17:15 vuln.today
Patch released
Apr 17, 2026 - 17:15 nvd
Patch available
CVE Published
Apr 17, 2026 - 16:43 nvd
HIGH 7.1

DescriptionCVE.org

ByteDance DeerFlow before commit 2176b2b contains a path traversal and arbitrary file write vulnerability in bootstrap-mode custom-agent creation where the agent name validation is bypassed. Attackers can supply traversal-style values or absolute paths as the agent name to influence directory creation and write files outside the intended custom-agent directory, potentially achieving arbitrary file write on the system subject to filesystem permissions.

AnalysisAI

Path traversal in ByteDance DeerFlow's bootstrap-mode custom-agent creation allows authenticated remote attackers to write arbitrary files outside intended directories. Affected versions prior to commit 2176b2b fail to validate agent names, enabling directory traversal sequences (../) or absolute paths to bypass containment controls. Successful exploitation achieves arbitrary file write subject to application process permissions, enabling configuration tampering, code injection, or denial of service. Vendor patch available via GitHub commit 2176b2b. EPSS data unavailable; not currently listed in CISA KEV. Publicly available exploit code exists (GitHub PR #2274 demonstrates vulnerability).

Technical ContextAI

DeerFlow is ByteDance's workflow orchestration platform for machine learning pipelines. This vulnerability affects the bootstrap-mode functionality responsible for creating custom agent configurations. The flaw stems from insufficient input validation (CWE-22: Improper Limitation of a Pathname to a Restricted Directory) when processing user-supplied agent names during the creation workflow. The application fails to sanitize path traversal sequences (../, ..\ ) and absolute paths before using the agent name parameter in filesystem operations. When an authenticated user creates a custom agent, the unsanitized name is passed to directory creation and file write operations, allowing attackers to escape the intended custom-agent directory tree. The CVSS:4.0 vector (AV:N/AC:L/PR:L) confirms this is a network-accessible attack with low complexity requiring only low-privilege authentication. The affected CPE (cpe:2.3:a:bytedance:deer-flow) indicates all pre-patch versions are vulnerable, with the fix implemented in commit 2176b2b.

RemediationAI

Upgrade to ByteDance DeerFlow commit 2176b2bbfccfce25ceee08318813f96d843a13fd or later, which implements proper path validation for agent names in bootstrap-mode custom-agent creation. The patch is available via GitHub at https://github.com/bytedance/deer-flow/commit/2176b2bbfccfce25ceee08318813f96d843a13fd. Organizations unable to immediately patch should implement defense-in-depth controls: (1) Restrict custom-agent creation permissions to trusted administrator accounts only, reducing the attack surface to insider threats; (2) Deploy filesystem-level write restrictions ensuring the DeerFlow application process cannot write to sensitive directories like configuration roots, binary directories, or web-accessible paths (note: this limits impact but does not prevent exploitation, and may interfere with legitimate agent operations); (3) Enable comprehensive filesystem audit logging to detect path traversal attempts in agent name parameters; (4) If DeerFlow is exposed to untrusted networks, place it behind authentication gateways requiring MFA for low-privilege accounts. Review existing custom-agent configurations for suspicious names containing '../' sequences or absolute paths, which may indicate prior exploitation attempts. Compensating controls reduce but do not eliminate risk-patching remains the primary mitigation.

Share

CVE-2026-40518 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy