CVE-2026-34430
Modified Modified - Updated After Analysis
Sandbox Escape in ByteDance Deer-Flow Bash Tool Enables Arbitrary Code Execution

Publication date: 2026-04-01

Last updated on: 2026-05-12

Assigner: VulnCheck

Description
ByteDance DeerFlow versions prior to commit 92c7a20 contain a sandbox escape vulnerability in bash tool handling that allows attackers to execute arbitrary commands on the host system by bypassing regex-based validation using shell features such as directory changes and relative paths. Attackers can exploit the incomplete shell semantics modeling to read and modify files outside the sandbox boundary and achieve arbitrary command execution through subprocess invocation with shell interpretation enabled.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-01
Last Modified
2026-05-12
Generated
2026-06-16
AI Q&A
2026-04-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34430
EUVD
EUVD-2026-17903
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
deerflow deerflow to 2026-03-29 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-184 The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

CVE-2026-34430 allows attackers to bypass sandbox isolation and execute arbitrary commands on the host system, potentially reading and modifying sensitive files such as secrets, SSH keys, and configuration files.

This unauthorized access and modification of sensitive data can lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls over the confidentiality, integrity, and availability of personal and sensitive information.

The vulnerability undermines the security guarantees of the sandbox environment, increasing the risk of data breaches and unauthorized data exposure, which are critical compliance concerns under these standards.

Mitigations introduced, such as disabling host bash execution by default and enforcing explicit opt-in for trusted environments, help reduce the risk of exploitation and support compliance by improving system security posture.

Executive Summary

CVE-2026-34430 is a sandbox escape vulnerability in ByteDance Deer-Flow's LocalSandboxProvider component. It occurs because the system uses regex-based validation to restrict bash commands to certain directories, but this validation is incomplete and does not fully understand shell features like directory changes and relative paths.

Attackers can exploit this flaw to bypass the sandbox's restrictions, allowing them to execute arbitrary commands on the host system. This means they can read and modify files outside the sandbox boundary and run commands with the same privileges as the DeerFlow process.

The vulnerability arises from the LocalSandboxProvider executing shell commands directly on the host without a secure isolation boundary, and the incomplete shell semantics modeling allows attackers to escape the sandbox via subprocess invocation with shell interpretation enabled.

Impact Analysis

If exploited, this vulnerability allows attackers to execute arbitrary commands on your host system with the same privileges as the DeerFlow process.

  • Attackers can read and modify arbitrary files on the host, including sensitive data such as secrets, repository files, SSH keys, and shell configurations.
  • The sandbox isolation guarantees are broken, meaning malicious code can affect the host system beyond the intended restricted environment.
  • This can lead to unauthorized access, data breaches, and potential system compromise.
Detection Guidance

Detection of CVE-2026-34430 involves checking whether the vulnerable LocalSandboxProvider is configured to allow host bash execution, which is disabled by default after the fix.

You can detect if the vulnerable configuration is present by verifying if the `allow_host_bash` option is set to true in your DeerFlow sandbox configuration.

Additionally, you can check if the bash tool or bash subagent is exposed or enabled in your environment, which should not be the case unless explicitly allowed.

Since the vulnerability involves bypassing regex-based validation of shell commands, monitoring for suspicious shell command executions that use directory changes (`cd`), relative paths, or shell expansions outside the sandbox directories (e.g., `/mnt/user-data`) may help detect exploitation attempts.

Specific commands to detect the vulnerability or exploitation attempts are not provided in the available resources.

Mitigation Strategies

Immediate mitigation steps include disabling host bash execution in the LocalSandboxProvider by ensuring the configuration option `allow_host_bash` is set to false or omitted (defaulting to false).

Avoid enabling host bash execution unless you are in a fully trusted, single-user local environment.

Prefer using the `AioSandboxProvider`, which runs shell commands inside isolated Docker containers, providing a secure sandbox boundary for shell execution.

Ensure that the bash tool and bash subagent are not loaded or exposed unless explicitly required and configured safely.

Apply the security update that includes commit 92c7a20 or later, which implements these mitigations and runtime enforcement.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34430. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart