CVE-2026-54320 | Daytona is a secure and elastic infrastructure runtime for A… | CVSS 8.4 HIGH

Description

Daytona is a secure and elastic infrastructure runtime for AI-generated code execution and agent workflows. Prior to 0.184.0, organization invitations could be accepted (and declined) by a user whose email matched the invitation but had not been verified. Daytona authenticates users via OIDC and matches an invitation's target email against the email in the caller's token, but the invitation accept and decline paths did not require that email to be verified, unlike organization creation, which already enforced verification. On identity providers that allow self-service signup and issue a session before the email is verified, an actor could register an address matching a pending invitation, leave it unverified, and accept the invitation, joining the target organization with the role the invitation carried (up to Owner). This vulnerability is fixed in 0.184.0.

Metadata

CVE ID: CVE-2026-54320
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-06-12 18:42 UTC
Published: 2026-06-23 18:11 UTC
Last updated: 2026-06-23 18:11 UTC
Primary CWE: CWE-287
CWE-287: Improper Authentication
Vendor / Product: daytonaio / daytona
Sources: cve.org · NVD

Severity & Metrics

8.4 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L

Affected products (1)

Vendor	Product	Platform	Versions
daytonaio	daytona	—	< 0.184.0

Weakness (CWE)

CWE	Source	Description
CWE-287	cna	CWE-287: Improper Authentication
CWE-863	cna	CWE-863: Incorrect Authorization

CVSS scores (1)

Score	Severity	Version	Source	Vector
8.4	HIGH	3.1	cna	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L

References (1)

https://github.com/daytonaio/daytona/security/advisories/GHSA-m6hx-cffh-3f3h https://github.com/daytonaio/daytona/security/advisories/GHSA-m6hx-cffh-3f3h