← back
CVE-2026-54324

Daytona: Cross-tenant data leak in notification WebSocket gateway via unverified organizationId join

CVSS 6.5 MEDIUMEPSS 0.3%CWE-639CWE-863
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 6.5EPSS 0.3%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
23 Jun 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
Daytona is a secure and elastic infrastructure runtime for AI-generated code execution and agent workflows. Prior to 0.185.0, a cross-tenant authorization flaw in Daytona's notification WebSocket gateway allowed any authenticated user to subscribe to another organization's realtime notification channel and passively receive that organization's events. This vulnerability is fixed in 0.185.0.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Affected products
daytonaio · daytona

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/daytonaio/daytona/security/advisories/GHSA-qwxf-2m7m-2m3x