Cyber Resilience

CVE-2026-34430

HighPublic PoC

Published: 01 April 2026

Published
01 April 2026
Modified
12 May 2026
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0040 31.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-34430 is a high-severity Incomplete List of Disallowed Inputs (CWE-184) vulnerability in Deerflow Deerflow. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

ByteDance Deer-Flow versions prior to commit 92c7a20 are affected by CVE-2026-34430, a sandbox escape vulnerability in the bash tool handling mechanism. The flaw stems from incomplete modeling of shell semantics, particularly regex-based validation that fails to account for shell features like directory changes (e.g., cd) and relative paths. This allows attackers to bypass sandbox boundaries, enabling reads and modifications of files outside the restricted environment, as well as arbitrary command execution on the host system through subprocess invocation with shell interpretation enabled. The vulnerability is rated 8.8 on the CVSS 3.1 scale (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is associated with CWE-184.

Attackers can exploit this vulnerability remotely over the network with low complexity and no required privileges, though user interaction is necessary, such as tricking a user into executing a malicious input within the Deer-Flow environment. Successful exploitation grants full arbitrary command execution on the host, compromising confidentiality, integrity, and availability with high impact, as attackers can read sensitive files, modify system data, and run unauthorized processes outside the sandbox.

Mitigation is available through updating to commit 92c7a20 or later in the ByteDance Deer-Flow repository, as detailed in the associated GitHub commit (https://github.com/bytedance/deer-flow/commit/92c7a20cb74addc3038d2131da78f2e239ef542e) and pull request #1547 (https://github.com/bytedance/deer-flow/pull/1547). Additional guidance on the vulnerability and remediation is provided in the VulnCheck advisory (https://www.vulncheck.com/advisories/bytedance-deerflow-localsandboxprovider-host-bash-escape).

EU & UK References

Vulnerability details

ByteDance DeerFlow versions prior to commit 92c7a20 contain a sandbox escape vulnerability in bash tool handling that allows attackers to execute arbitrary commands on the host system by bypassing regex-based validation using shell features such as directory changes and relative…

more

paths. Attackers can exploit the incomplete shell semantics modeling to read and modify files outside the sandbox boundary and achieve arbitrary command execution through subprocess invocation with shell interpretation enabled.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Vulnerability enables remote exploitation (AV:N/PR:N) of Deer-Flow sandbox via bash handling flaws for privilege escalation (sandbox escape) and arbitrary Unix shell command execution on host.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-42435Shared CWE-184
CVE-2026-43566Shared CWE-184
CVE-2026-32017Shared CWE-184
CVE-2026-43578Shared CWE-184
CVE-2025-48732Shared CWE-184
CVE-2026-44115Shared CWE-184
CVE-2026-41392Shared CWE-184
CVE-2026-43584Shared CWE-184
CVE-2026-34177Shared CWE-184
CVE-2026-43532Shared CWE-184

Affected Assets

deerflow
deerflow
≤ 2026-03-29

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces the sandbox boundary that the incomplete regex validation fails to uphold, blocking unauthorized host file access and command execution.

prevent

Requires comprehensive validation of all inputs to the bash tool, addressing the incomplete shell-semantics modeling that permits cd/relative-path bypasses.

prevent

Mandates process isolation between the sandboxed bash subprocess and the host, limiting the impact of any validation bypass to achieve arbitrary execution.

References