Cyber Posture

CVE-2026-34430

HighPublic PoC

Published: 01 April 2026

Published
01 April 2026
Modified
02 April 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0011 29.1th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

ByteDance Deer-Flow versions prior to commit 92c7a20 contain a sandbox escape vulnerability in bash tool handling that allows attackers to execute arbitrary commands on the host system by bypassing regex-based validation using shell features such as directory changes and relative…

more

paths. Attackers can exploit the incomplete shell semantics modeling to read and modify files outside the sandbox boundary and achieve arbitrary command execution through subprocess invocation with shell interpretation enabled.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Timely flaw remediation through patching to commit 92c7a20 directly eliminates the sandbox escape vulnerability in bash tool handling.

SI-10 Information Input Validation good match
prevent

Comprehensive information input validation prevents bypass of regex checks using shell features like directory changes and relative paths.

SC-39 Process Isolation good match
prevent

Robust process isolation enforces sandbox boundaries to contain bash subprocesses and block arbitrary host command execution.

Security SummaryAI

ByteDance Deer-Flow versions prior to commit 92c7a20 are affected by CVE-2026-34430, a sandbox escape vulnerability in the bash tool handling mechanism. The flaw stems from incomplete modeling of shell semantics, particularly regex-based validation that fails to account for shell features like directory changes (e.g., cd) and relative paths. This allows attackers to bypass sandbox boundaries, enabling reads and modifications of files outside the restricted environment, as well as arbitrary command execution on the host system through subprocess invocation with shell interpretation enabled. The vulnerability is rated 8.8 on the CVSS 3.1 scale (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is associated with CWE-184.

Attackers can exploit this vulnerability remotely over the network with low complexity and no required privileges, though user interaction is necessary, such as tricking a user into executing a malicious input within the Deer-Flow environment. Successful exploitation grants full arbitrary command execution on the host, compromising confidentiality, integrity, and availability with high impact, as attackers can read sensitive files, modify system data, and run unauthorized processes outside the sandbox.

Mitigation is available through updating to commit 92c7a20 or later in the ByteDance Deer-Flow repository, as detailed in the associated GitHub commit (https://github.com/bytedance/deer-flow/commit/92c7a20cb74addc3038d2131da78f2e239ef542e) and pull request #1547 (https://github.com/bytedance/deer-flow/pull/1547). Additional guidance on the vulnerability and remediation is provided in the VulnCheck advisory (https://www.vulncheck.com/advisories/bytedance-deerflow-localsandboxprovider-host-bash-escape).

Details

CWE(s)
CWE-184NVD-CWE-noinfo

Affected Products

deerflow
deerflow
≤ 2026-03-29

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

Vulnerability enables remote exploitation (AV:N/PR:N) of Deer-Flow sandbox via bash handling flaws for privilege escalation (sandbox escape) and arbitrary Unix shell command execution on host.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References