Cyber Resilience

CVE-2026-40518

HighPublic PoCUpdated

Published: 17 April 2026

Published
17 April 2026
Modified
05 June 2026
KEV Added
Patch
CVSS Score v4 7.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0036 27.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-40518 is a high-severity Path Traversal (CWE-22) vulnerability in Bytedance Deerflow. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-9 (Information Input Restrictions).

Deeper analysis

CVE-2026-40518 is a path traversal and arbitrary file write vulnerability in ByteDance DeerFlow before commit 2176b2b. The flaw exists in the bootstrap-mode custom-agent creation feature, where agent name validation is bypassed. Attackers can provide traversal-style values or absolute paths as the agent name to manipulate directory creation and write files outside the intended custom-agent directory, enabling potential arbitrary file writes subject to filesystem permissions. It is classified under CWE-22 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).

The vulnerability can be exploited remotely over the network with low attack complexity by authenticated users possessing low privileges, requiring no user interaction. Exploitation allows attackers to achieve arbitrary file writes beyond the custom-agent directory, resulting in low integrity impact and high availability impact, with no confidentiality impact due to the unchanged scope.

Mitigation is addressed in the fixing commit at https://github.com/bytedance/deer-flow/commit/2176b2bbfccfce25ceee08318813f96d843a13fd and pull request https://github.com/bytedance/deer-flow/pull/2274. Further details on the issue are provided in the VulnCheck advisory at https://www.vulncheck.com/advisories/bytedance-deerflow-path-traversal-and-arbitrary-file-write-via-bootstrap-mode.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

ByteDance DeerFlow before commit 2176b2b contains a path traversal and arbitrary file write vulnerability in bootstrap-mode custom-agent creation where the agent name validation is bypassed. Attackers can supply traversal-style values or absolute paths as the agent name to influence directory…

more

creation and write files outside the intended custom-agent directory, potentially achieving arbitrary file write on the system subject to filesystem permissions.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

The path traversal vulnerability in a public-facing application directly enables exploitation for initial access (T1190) and facilitates arbitrary file writes for stored data manipulation (T1565.001).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-1785Shared CWE-22
CVE-2026-32274Shared CWE-22
CVE-2026-44243Shared CWE-22
CVE-2026-28791Shared CWE-22
CVE-2020-36883Shared CWE-22
CVE-2026-33656Shared CWE-22
CVE-2026-33344Shared CWE-22
CVE-2026-26187Shared CWE-22
CVE-2025-61686Shared CWE-22
CVE-2025-2505Shared CWE-22

Affected Assets

bytedance
deerflow
2.0-m0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the path traversal vulnerability by requiring validation of agent name inputs to block traversal sequences and absolute paths.

prevent

Prevents exploitation by restricting agent name inputs to organization-defined safe formats excluding path traversal characters.

prevent

Reduces impact of arbitrary file writes outside the intended directory by enforcing least privilege on the bootstrap-mode process subject to filesystem permissions.

References