CVE-2026-34430
Published: 01 April 2026
Summary
CVE-2026-34430 is a high-severity Incomplete List of Disallowed Inputs (CWE-184) vulnerability in Deerflow Deerflow. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
ByteDance Deer-Flow versions prior to commit 92c7a20 are affected by CVE-2026-34430, a sandbox escape vulnerability in the bash tool handling mechanism. The flaw stems from incomplete modeling of shell semantics, particularly regex-based validation that fails to account for shell features like directory changes (e.g., cd) and relative paths. This allows attackers to bypass sandbox boundaries, enabling reads and modifications of files outside the restricted environment, as well as arbitrary command execution on the host system through subprocess invocation with shell interpretation enabled. The vulnerability is rated 8.8 on the CVSS 3.1 scale (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is associated with CWE-184.
Attackers can exploit this vulnerability remotely over the network with low complexity and no required privileges, though user interaction is necessary, such as tricking a user into executing a malicious input within the Deer-Flow environment. Successful exploitation grants full arbitrary command execution on the host, compromising confidentiality, integrity, and availability with high impact, as attackers can read sensitive files, modify system data, and run unauthorized processes outside the sandbox.
Mitigation is available through updating to commit 92c7a20 or later in the ByteDance Deer-Flow repository, as detailed in the associated GitHub commit (https://github.com/bytedance/deer-flow/commit/92c7a20cb74addc3038d2131da78f2e239ef542e) and pull request #1547 (https://github.com/bytedance/deer-flow/pull/1547). Additional guidance on the vulnerability and remediation is provided in the VulnCheck advisory (https://www.vulncheck.com/advisories/bytedance-deerflow-localsandboxprovider-host-bash-escape).
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-17903
Vulnerability details
ByteDance DeerFlow versions prior to commit 92c7a20 contain a sandbox escape vulnerability in bash tool handling that allows attackers to execute arbitrary commands on the host system by bypassing regex-based validation using shell features such as directory changes and relative…
more
paths. Attackers can exploit the incomplete shell semantics modeling to read and modify files outside the sandbox boundary and achieve arbitrary command execution through subprocess invocation with shell interpretation enabled.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables remote exploitation (AV:N/PR:N) of Deer-Flow sandbox via bash handling flaws for privilege escalation (sandbox escape) and arbitrary Unix shell command execution on host.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces the sandbox boundary that the incomplete regex validation fails to uphold, blocking unauthorized host file access and command execution.
Requires comprehensive validation of all inputs to the bash tool, addressing the incomplete shell-semantics modeling that permits cd/relative-path bypasses.
Mandates process isolation between the sandboxed bash subprocess and the host, limiting the impact of any validation bypass to achieve arbitrary execution.