Description
ByteDance Deer-Flow versions prior to commit 92c7a20 contain a sandbox escape vulnerability in bash tool handling that allows attackers to execute arbitrary commands on the host system by bypassing regex-based validation using shell features such as directory changes and relative paths. Attackers can exploit the incomplete shell semantics modeling to read and modify files outside the sandbox boundary and achieve arbitrary command execution through subprocess invocation with shell interpretation enabled.
Published: 2026-04-01
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Local Command Execution
Action: Patch Now
AI Analysis

Impact

A flaw in DeerFlow’s LocalSandboxProvider sanitizes bash input with an overly restrictive regex, letting an attacker supply shell constructs that move outside the intended sandbox. By changing directories or using relative paths, the attacker can read or write files beyond the sandbox boundary and then invoke arbitrary shell commands with the same privileges as the application. This leads to loss of confidentiality, integrity, and availability of the host system. The weakness corresponds to CWE‑184.

Affected Systems

All DeerFlow releases built before commit 92c7a20cb74addc3038d2131da78f2e239ef542e are vulnerable; operators should verify that their installation contains that specific commit or a later one and apply the patch accordingly.

Risk and Exploitability

The CVSS base score is 8.6, indicating high severity. EPSS is below 1 %, and the issue is not in the CISA KEV catalog, so large‑scale exploitation is currently unlikely. The manipulation requires the attacker to influence the affected DeerFlow process; therefore the attack vector is inferred to be local rather than remote. No public exploit code has been reported.

Generated by OpenCVE AI on April 2, 2026 at 23:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch corresponding to commit 92c7a20 or upgrade to a DeerFlow release that incorporates this commit.
  • If upgrading is not immediately possible, disable Bash execution in the sandbox or run the sandbox as a non‑privileged user to limit impact.
  • Verify your deployment version by checking its Git commit hash against the fixed revision.

Generated by OpenCVE AI on April 2, 2026 at 23:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Bytedance
Bytedance deerflow
Deerflow
Deerflow deerflow
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:deerflow:deerflow:*:*:*:*:*:*:*:*
Vendors & Products Bytedance
Bytedance deerflow
Deerflow
Deerflow deerflow

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description ByteDance Deer-Flow versions prior to commit 92c7a20 contain a sandbox escape vulnerability in bash tool handling that allows attackers to execute arbitrary commands on the host system by bypassing regex-based validation using shell features such as directory changes and relative paths. Attackers can exploit the incomplete shell semantics modeling to read and modify files outside the sandbox boundary and achieve arbitrary command execution through subprocess invocation with shell interpretation enabled.
Title ByteDance DeerFlow LocalSandboxProvider Host Bash Escape
Weaknesses CWE-184
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Subscriptions

Bytedance Deerflow
Deerflow Deerflow
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-01T15:01:25.156Z

Reserved: 2026-03-27T15:24:06.752Z

Link: CVE-2026-34430

cve-icon Vulnrichment

Updated: 2026-04-01T14:53:17.031Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T14:16:52.773

Modified: 2026-04-02T19:41:55.973

Link: CVE-2026-34430

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:19:06Z

Weaknesses