What happened
NVD published five Daytona CVEs on 2026-06-23 spanning authorization flaws across the AI code-execution runtime: unverified email organization invitation acceptance (CVSS 8.4), cross-tenant IDOR in role management (CVSS 7.7), TLS certificate verification disabled during authenticated Git clones (CVSS 5.9), WebSocket notification channel without tenant isolation (CVSS 6.5), and volume path traversal in sandbox mounts (CVSS 4.2).
Why it matters
Daytona is purpose-built as secure infrastructure for AI-generated code execution and agentic workflows. Authorization failures here directly undermine the sandbox isolation that makes AI code execution safe. Credential theft via the TLS bypass during git clone is particularly dangerous as it targets the credentials used to access private repositories containing AI agent code.
Attack vector
Multiple vectors: (1) Unverified email can accept organization invitations, gaining access to AI execution environments (CVE-2026-54320); (2) Organization role update/delete endpoints resolve target by request body rather than URL path, enabling cross-org IDOR privilege escalation (CVE-2026-54322); (3) Git clone with credentials disables TLS verification, enabling credential theft via MitM (CVE-2026-54323); (4) Notification WebSocket has no tenant isolation, allowing cross-org data leakage (CVE-2026-54324); (5) Volume path traversal in sandbox mounts (CVE-2026-54319)
Affected systems
Daytona < 0.184.0 (CVE-2026-54320), < 0.185.0 (CVE-2026-54322, CVE-2026-54323, CVE-2026-54324), < 0.186 (CVE-2026-54319)
Mitigation
Upgrade Daytona to latest versions per CVE: 0.184.0+ for CVE-2026-54320; 0.185.0+ for CVE-2026-54322/54323/54324; 0.186+ for CVE-2026-54319. Advisories at https://github.com/daytonaio/daytona/security/advisories/