PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-40518 bytedance CVE debrief

CVE-2026-40518 is a HIGH severity vulnerability in Bytedance DeerFlow before commit 2176b2b. It allows for path traversal and arbitrary file write via bootstrap-mode custom-agent creation. The vulnerability exists due to a bypass in agent name validation, enabling attackers to supply traversal-style values or absolute paths as the agent name. This can influence directory creation and write files outside the intended custom-agent directory, potentially achieving arbitrary file write on the system subject to filesystem permissions.

Vendor
bytedance
Product
deer-flow
CVSS
HIGH 7.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-17
Original CVE updated
2026-06-05
Advisory published
2026-04-17
Advisory updated
2026-06-05

Who should care

Users of Bytedance DeerFlow before commit 2176b2b should apply the patch to prevent potential path traversal and arbitrary file write attacks.

Technical summary

The vulnerability has a CVSS score of 7.1 and is classified as HIGH severity. It was published on 2026-04-17T17:17:09.543Z and last modified on 2026-06-05T18:07:07.207Z. The CWE associated with this vulnerability is CWE-22.

Defensive priority

HIGH

Recommended defensive actions

  • Apply the patch referenced at resourceLinkAnnotations ref-4 to update Bytedance DeerFlow to commit 2176b2b or later.
  • Review and follow the issue tracking and patch information at resourceLinkAnnotations ref-5.
  • Refer to the third-party advisory at resourceLinkAnnotations ref-6 for additional information.

Evidence notes

The information provided is based on data from official sources, including CVE.org and the National Vulnerability Database (NVD).

Official resources

CVE-2026-40518 was published on 2026-04-17T17:17:09.543Z and last modified on 2026-06-05T18:07:07.207Z.