CVE-2026-54322 | Daytona is a secure and elastic infrastructure runtime for A… | CVSS 7.7 HIGH

Description

Daytona is a secure and elastic infrastructure runtime for AI-generated code execution and agent workflows. Prior to 0.185.0, Daytona's organization role update and delete endpoints authorized the caller as an owner of the organization named in the request path, but resolved and mutated the target role by its identifier alone, without verifying the role belonged to that organization. An authenticated user who owns any organization (organizations are self-service) could therefore modify the permissions of, or delete, a role belonging to a different organization, given that role's identifier. This vulnerability is fixed in 0.185.0.

Metadata

CVE ID: CVE-2026-54322
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-06-12 18:42 UTC
Published: 2026-06-23 18:07 UTC
Last updated: 2026-06-23 18:56 UTC
Primary CWE: CWE-639
CWE-639: Authorization Bypass Through User-Controlled Key
Vendor / Product: daytonaio / daytona
Sources: cve.org · NVD

Severity & Metrics

7.7 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:L

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
daytonaio	daytona	—	< 0.185.0

Weakness (CWE)

CWE	Source	Description
CWE-639	cna	CWE-639: Authorization Bypass Through User-Controlled Key
CWE-862	cna	CWE-862: Missing Authorization

CVSS scores (1)

Score	Severity	Version	Source	Vector
7.7	HIGH	3.1	cna	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:L

References (1)

https://github.com/daytonaio/daytona/security/advisories/GHSA-qxvm-pcfm-qc39 https://github.com/daytonaio/daytona/security/advisories/GHSA-qxvm-pcfm-qc39