CVE-2026-40518: ByteDance DeerFlow Path Traversal Vulnerability

CVE-2026-40518 Overview

ByteDance DeerFlow before commit 2176b2b contains a path traversal and arbitrary file write vulnerability in bootstrap-mode custom-agent creation where the agent name validation is bypassed. Attackers can supply traversal-style values or absolute paths as the agent name to influence directory creation and write files outside the intended custom-agent directory, potentially achieving arbitrary file write on the system subject to filesystem permissions.

Critical Impact
This path traversal vulnerability allows authenticated attackers to write arbitrary files to the system by manipulating agent names during bootstrap-mode custom-agent creation, potentially leading to code execution or system compromise.

Affected Products

ByteDance DeerFlow (versions before commit 2176b2b)

Discovery Timeline

2026-04-17 - CVE CVE-2026-40518 published to NVD
2026-04-17 - Last updated in NVD database

Technical Details for CVE-2026-40518

Vulnerability Analysis

The vulnerability resides in the bootstrap-mode custom-agent creation functionality within ByteDance DeerFlow. The core issue is a lack of proper input validation on the agent name parameter before it is used in filesystem operations. When users create custom agents, the application constructs directory paths using the provided agent name without adequately sanitizing the input to prevent path traversal sequences.

The weakness is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as path traversal. This allows attackers to escape the intended custom-agent directory by supplying specially crafted agent names containing directory traversal sequences such as ../ or absolute paths.

Root Cause

The root cause of this vulnerability is insufficient input validation on the agent_name parameter in the DeerFlow agent configuration system. Prior to the security patch, the application accepted agent names without verifying they matched a safe pattern. The vulnerable code path in backend/packages/harness/deerflow/agents/lead_agent/agent.py loaded agent configurations without calling the newly introduced validate_agent_name function.

The fix introduces a strict validation pattern (^[A-Za-z0-9-]+$) that only permits alphanumeric characters and hyphens in agent names, effectively blocking path traversal attempts.

Attack Vector

The attack vector is network-based and requires low-privileged access to the DeerFlow application. An authenticated attacker can exploit this vulnerability by:

Accessing the bootstrap-mode custom-agent creation functionality
Supplying a malicious agent name containing path traversal sequences (e.g., ../../etc/cron.d/malicious)
The application creates directories and writes configuration files to arbitrary locations
Depending on filesystem permissions, this could allow overwriting critical system files or planting malicious scripts

The following patch was applied to address the vulnerability:

python

from deerflow.agents.middlewares.tool_error_handling_middleware import build_lead_runtime_middlewares
from deerflow.agents.middlewares.view_image_middleware import ViewImageMiddleware
from deerflow.agents.thread_state import ThreadState
-from deerflow.config.agents_config import load_agent_config
+from deerflow.config.agents_config import load_agent_config, validate_agent_name
from deerflow.config.app_config import get_app_config
from deerflow.config.memory_config import get_memory_config
from deerflow.config.summarization_config import get_summarization_config

Source: GitHub Commit

The validation function introduced in agents_config.py:

python

AGENT_NAME_PATTERN = re.compile(r"^[A-Za-z0-9-]+$")


+def validate_agent_name(name: str | None) -> str | None:
+    """Validate a custom agent name before using it in filesystem paths."""
+    if name is None:
+        return None
+    if not isinstance(name, str):
+        raise ValueError("Invalid agent name. Expected a string or None.")
+    if not AGENT_NAME_PATTERN.fullmatch(name):
+        raise ValueError(f"Invalid agent name '{name}'. Must match pattern: {AGENT_NAME_PATTERN.pattern}")
+    return name


class AgentConfig(BaseModel):
    """Configuration for a custom agent."""

Source: GitHub Commit

Detection Methods for CVE-2026-40518

Indicators of Compromise

Presence of unexpected directories or files outside the designated custom-agent directory
Agent names in logs containing path traversal sequences (../, /, or absolute paths)
Unexpected file write operations in system directories by the DeerFlow process
Configuration files or scripts appearing in cron directories, web roots, or other sensitive locations

Detection Strategies

Monitor filesystem events for file creation operations originating from the DeerFlow application process outside expected directories
Implement log analysis rules to detect agent creation requests containing suspicious characters (., /, \)
Deploy file integrity monitoring (FIM) on critical system directories to detect unauthorized modifications
Review application logs for ValueError exceptions related to agent name validation after patching

Monitoring Recommendations

Enable detailed logging for the DeerFlow agent creation endpoints to capture all input parameters
Set up alerts for any file write operations by the DeerFlow process to paths outside the application directory
Monitor for new files appearing in sensitive directories such as /etc/cron.d/, /var/www/, or application deployment paths
Implement real-time log correlation to identify patterns of path traversal exploitation attempts

How to Mitigate CVE-2026-40518

Immediate Actions Required

Update ByteDance DeerFlow to commit 2176b2bbfccfce25ceee08318813f96d843a13fd or later immediately
Review existing custom agents for any with suspicious names containing path traversal patterns
Audit filesystem permissions to ensure the DeerFlow process runs with minimal privileges
Check for any unauthorized files that may have been written outside the custom-agent directory

Patch Information

ByteDance has addressed this vulnerability in commit 2176b2b. The fix introduces a new validate_agent_name() function that enforces strict input validation using a regex pattern that only allows alphanumeric characters and hyphens. Organizations should update their DeerFlow installations by pulling the latest changes from the repository.

For detailed patch information, refer to:

Workarounds

Implement a web application firewall (WAF) rule to block requests containing path traversal sequences in agent name parameters
Restrict access to the bootstrap-mode custom-agent creation functionality to trusted administrators only
Run the DeerFlow application with a dedicated service account that has restricted filesystem write permissions
Apply filesystem-level restrictions (chroot, containers, or AppArmor/SELinux policies) to limit where the application can write files

bash

# Example: Restrict DeerFlow process with AppArmor
# Create profile /etc/apparmor.d/deerflow
# Add write restrictions to limit file operations to application directory
echo "/path/to/deerflow/custom-agents/** rw," >> /etc/apparmor.d/deerflow
apparmor_parser -r /etc/apparmor.d/deerflow

CVE-2026-40518 Overview

Critical Impact
This path traversal vulnerability allows authenticated attackers to write arbitrary files to the system by manipulating agent names during bootstrap-mode custom-agent creation, potentially leading to code execution or system compromise.

Affected Products

ByteDance DeerFlow (versions before commit 2176b2b)

Discovery Timeline

2026-04-17 - CVE CVE-2026-40518 published to NVD
2026-04-17 - Last updated in NVD database

Technical Details for CVE-2026-40518

Vulnerability Analysis

Root Cause

The fix introduces a strict validation pattern (^[A-Za-z0-9-]+$) that only permits alphanumeric characters and hyphens in agent names, effectively blocking path traversal attempts.

Attack Vector

The attack vector is network-based and requires low-privileged access to the DeerFlow application. An authenticated attacker can exploit this vulnerability by:

Accessing the bootstrap-mode custom-agent creation functionality
Supplying a malicious agent name containing path traversal sequences (e.g., ../../etc/cron.d/malicious)
The application creates directories and writes configuration files to arbitrary locations
Depending on filesystem permissions, this could allow overwriting critical system files or planting malicious scripts

The following patch was applied to address the vulnerability:

python

from deerflow.agents.middlewares.tool_error_handling_middleware import build_lead_runtime_middlewares
from deerflow.agents.middlewares.view_image_middleware import ViewImageMiddleware
from deerflow.agents.thread_state import ThreadState
-from deerflow.config.agents_config import load_agent_config
+from deerflow.config.agents_config import load_agent_config, validate_agent_name
from deerflow.config.app_config import get_app_config
from deerflow.config.memory_config import get_memory_config
from deerflow.config.summarization_config import get_summarization_config

Source: GitHub Commit

The validation function introduced in agents_config.py:

python

AGENT_NAME_PATTERN = re.compile(r"^[A-Za-z0-9-]+$")


+def validate_agent_name(name: str | None) -> str | None:
+    """Validate a custom agent name before using it in filesystem paths."""
+    if name is None:
+        return None
+    if not isinstance(name, str):
+        raise ValueError("Invalid agent name. Expected a string or None.")
+    if not AGENT_NAME_PATTERN.fullmatch(name):
+        raise ValueError(f"Invalid agent name '{name}'. Must match pattern: {AGENT_NAME_PATTERN.pattern}")
+    return name


class AgentConfig(BaseModel):
    """Configuration for a custom agent."""

Source: GitHub Commit

Detection Methods for CVE-2026-40518

Indicators of Compromise

Presence of unexpected directories or files outside the designated custom-agent directory
Agent names in logs containing path traversal sequences (../, /, or absolute paths)
Unexpected file write operations in system directories by the DeerFlow process
Configuration files or scripts appearing in cron directories, web roots, or other sensitive locations

Detection Strategies

Monitor filesystem events for file creation operations originating from the DeerFlow application process outside expected directories
Implement log analysis rules to detect agent creation requests containing suspicious characters (., /, \)
Deploy file integrity monitoring (FIM) on critical system directories to detect unauthorized modifications
Review application logs for ValueError exceptions related to agent name validation after patching

Monitoring Recommendations

Enable detailed logging for the DeerFlow agent creation endpoints to capture all input parameters
Set up alerts for any file write operations by the DeerFlow process to paths outside the application directory
Monitor for new files appearing in sensitive directories such as /etc/cron.d/, /var/www/, or application deployment paths
Implement real-time log correlation to identify patterns of path traversal exploitation attempts

How to Mitigate CVE-2026-40518

Immediate Actions Required

Update ByteDance DeerFlow to commit 2176b2bbfccfce25ceee08318813f96d843a13fd or later immediately
Review existing custom agents for any with suspicious names containing path traversal patterns
Audit filesystem permissions to ensure the DeerFlow process runs with minimal privileges
Check for any unauthorized files that may have been written outside the custom-agent directory

Patch Information

For detailed patch information, refer to:

Workarounds

Implement a web application firewall (WAF) rule to block requests containing path traversal sequences in agent name parameters
Restrict access to the bootstrap-mode custom-agent creation functionality to trusted administrators only
Run the DeerFlow application with a dedicated service account that has restricted filesystem write permissions
Apply filesystem-level restrictions (chroot, containers, or AppArmor/SELinux policies) to limit where the application can write files

bash

# Example: Restrict DeerFlow process with AppArmor
# Create profile /etc/apparmor.d/deerflow
# Add write restrictions to limit file operations to application directory
echo "/path/to/deerflow/custom-agents/** rw," >> /etc/apparmor.d/deerflow
apparmor_parser -r /etc/apparmor.d/deerflow

CVE-2026-40518: ByteDance DeerFlow Path Traversal Vulnerability

CVE-2026-40518 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-40518

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-40518

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-40518

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2026-40518: ByteDance DeerFlow Path Traversal Vulnerability

CVE-2026-40518 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-40518

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-40518

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-40518

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform