DeerFlow patches host bash sandbox escape enabling command execution

2 min readPublished 01 Apr 2026Updated 01 Apr 2026Source: CVEProject (cvelistV5)

CVE-2026-34430 News AI Security Developer Tools

TL;DR — DeerFlow’s default local sandbox can be escaped via bash tool handling, allowing attacker-influenced workflows to execute arbitrary host commands and access files outside the intended sandbox boundary.

What happened

DeerFlow is an open-source “super agent harness” that orchestrates sub-agents, memory, and sandboxes to perform long-horizon tasks (research, coding, and content creation) using extensible tools/skills.

CVE-2026-34430 reports a sandbox escape in DeerFlow’s bash tool handling: attackers can bypass regex-based validation using shell features (e.g., directory changes and relative paths). The CVE record attributes the issue to incomplete modeling of shell semantics, enabling reads/modifications of files outside the sandbox boundary and arbitrary command execution through subprocess invocation when shell interpretation is enabled.

The CVE record rates this High severity (CVSS v4.0 8.6; CVSS v3.1 8.8). A related upstream security PR describes the same issue as “critical” in the context of DeerFlow’s default local sandbox isolation boundary, highlighting that practical risk increases when handling untrusted prompts or users.

This is a recurring failure mode in “LLM tool sandboxes”: regex-guarding shell commands is brittle, and any mismatch between intended and actual shell semantics tends to become an escape primitive with direct host impact.

Who is impacted

Deployments running deer-flow prior to patch commit 92c7a20cb74addc3038d2131da78f2e239ef542e (CVE record: affected lessThan this commit).
Highest-risk environments are those treating DeerFlow’s local sandbox as a hard security boundary while executing attacker-influenced tool inputs (e.g., multi-user agent services, shared internal “agent gateway” setups, or any untrusted prompt ingestion path).

Component	Affected versions (per CVE record)	Patched versions / solution status
`DeerFlow` (`bytedance/deer-flow`)	`< git commit 92c7a20cb74addc3038d2131da78f2e239ef542e`	Patch is referenced by the CVE record as commit `92c7a20cb74addc3038d2131da78f2e239ef542e`

What to do now

Follow upstream remediation guidance and apply the latest patched DeerFlow release/commit available at the time of writing (the CVE record references the patch commit).
For teams operating a fork or pinning commits: ensure your deployed revision includes the patch commit referenced in the CVE record.
If you must run an affected build temporarily, treat any host-bash execution path as high risk and reassess trust boundaries for tool inputs and “sandboxed” execution.
If compromise is suspected, investigate for unexpected host command execution and review access to sensitive files that could be reachable outside the sandbox boundary.

"disable host bash execution by default when LocalSandboxProvider is active"

"introduce an explicit sandbox.allow_host_bash opt-in for fully trusted local workflows"

Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.