← volver
CVE-2026-54324

Daytona: Cross-tenant data leak in notification WebSocket gateway via unverified organizationId join

CVSS 6.5 MEDIUMEPSS 0.3%CWE-639CWE-863
Vexday Risk Score
13Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS 6.5EPSS 0.3%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
23 jun 2026Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
Daytona is a secure and elastic infrastructure runtime for AI-generated code execution and agent workflows. Prior to 0.185.0, a cross-tenant authorization flaw in Daytona's notification WebSocket gateway allowed any authenticated user to subscribe to another organization's realtime notification channel and passively receive that organization's events. This vulnerability is fixed in 0.185.0.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Productos afectados
daytonaio · daytona

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
https://github.com/daytonaio/daytona/security/advisories/GHSA-qwxf-2m7m-2m3x