CVE-2026-40518
Published: 17 April 2026
Summary
CVE-2026-40518 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 8.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-9 (Information Input Restrictions).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the path traversal vulnerability by requiring validation of agent name inputs to block traversal sequences and absolute paths.
Prevents exploitation by restricting agent name inputs to organization-defined safe formats excluding path traversal characters.
Reduces impact of arbitrary file writes outside the intended directory by enforcing least privilege on the bootstrap-mode process subject to filesystem permissions.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The path traversal vulnerability in a public-facing application directly enables exploitation for initial access (T1190) and facilitates arbitrary file writes for stored data manipulation (T1565.001).
NVD Description
ByteDance DeerFlow before commit 2176b2b contains a path traversal and arbitrary file write vulnerability in bootstrap-mode custom-agent creation where the agent name validation is bypassed. Attackers can supply traversal-style values or absolute paths as the agent name to influence directory…
more
creation and write files outside the intended custom-agent directory, potentially achieving arbitrary file write on the system subject to filesystem permissions.
Deeper analysisAI
CVE-2026-40518 is a path traversal and arbitrary file write vulnerability in ByteDance DeerFlow before commit 2176b2b. The flaw exists in the bootstrap-mode custom-agent creation feature, where agent name validation is bypassed. Attackers can provide traversal-style values or absolute paths as the agent name to manipulate directory creation and write files outside the intended custom-agent directory, enabling potential arbitrary file writes subject to filesystem permissions. It is classified under CWE-22 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).
The vulnerability can be exploited remotely over the network with low attack complexity by authenticated users possessing low privileges, requiring no user interaction. Exploitation allows attackers to achieve arbitrary file writes beyond the custom-agent directory, resulting in low integrity impact and high availability impact, with no confidentiality impact due to the unchanged scope.
Mitigation is addressed in the fixing commit at https://github.com/bytedance/deer-flow/commit/2176b2bbfccfce25ceee08318813f96d843a13fd and pull request https://github.com/bytedance/deer-flow/pull/2274. Further details on the issue are provided in the VulnCheck advisory at https://www.vulncheck.com/advisories/bytedance-deerflow-path-traversal-and-arbitrary-file-write-via-bootstrap-mode.
Details
- CWE(s)