← voltar
CVE-2026-54324

Daytona: Cross-tenant data leak in notification WebSocket gateway via unverified organizationId join

CVSS 6.5 MEDIUMEPSS 0.3%CWE-639CWE-863
Vexday Risk Score
13Baixo
Decisão SSVC (CISA)
Track
Sem sinal de exploração → monitorar
CVSS 6.5EPSS 0.3%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
23 jun 2026Publicada no NVD
Recomendação: Monitorar — sem sinal de exploração no momento.
Daytona is a secure and elastic infrastructure runtime for AI-generated code execution and agent workflows. Prior to 0.185.0, a cross-tenant authorization flaw in Daytona's notification WebSocket gateway allowed any authenticated user to subscribe to another organization's realtime notification channel and passively receive that organization's events. This vulnerability is fixed in 0.185.0.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Produtos afetados
daytonaio · daytona

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →
Referências
https://github.com/daytonaio/daytona/security/advisories/GHSA-qwxf-2m7m-2m3x