{"id":"CVE-2026-40518","summary":"ByteDance DeerFlow Path Traversal and Arbitrary File Write via Bootstrap Mode","details":"ByteDance DeerFlow before commit 2176b2b contains a path traversal and arbitrary file write vulnerability in bootstrap-mode custom-agent creation where the agent name validation is bypassed. Attackers can supply traversal-style values or absolute paths as the agent name to influence directory creation and write files outside the intended custom-agent directory, potentially achieving arbitrary file write on the system subject to filesystem permissions.","modified":"2026-07-08T08:13:12.860567279Z","published":"2026-04-17T16:43:42.387Z","database_specific":{"unresolved_ranges":[{"source":"AFFECTED_FIELD","extracted_events":[{"fixed":"2176b2bbfccfce25ceee08318813f96d843a13fd"}]}],"cna_assigner":"VulnCheck","cwe_ids":["CWE-22"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40518.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40518.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40518"},{"type":"ADVISORY","url":"https://www.vulncheck.com/advisories/bytedance-deerflow-path-traversal-and-arbitrary-file-write-via-bootstrap-mode"},{"type":"REPORT","url":"https://github.com/bytedance/deer-flow/pull/2274"},{"type":"FIX","url":"https://github.com/bytedance/deer-flow/commit/2176b2bbfccfce25ceee08318813f96d843a13fd"},{"type":"PACKAGE","url":"https://github.com/bytedance/deer-flow"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/bytedance/deer-flow","events":[{"introduced":"7e7f0410797693cf882594555ba414e0361d4c6f"},{"fixed":"2176b2bbfccfce25ceee08318813f96d843a13fd"}],"database_specific":{"source":["CPE_STRING","REFERENCES"],"extracted_events":[{"introduced":"2.0-m0"},{"last_affected":"2.0-m0"}],"cpe":"cpe:2.3:a:bytedance:deerflow:2.0-m0:*:*:*:*:*:*:*"}}],"versions":["2.0-m0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-40518.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N"}]}