CVE-2026-54323
MediumCVSS 5.9Exploitation Probability (EPSS)
Low risk2th percentile — higher than 2% of all known CVEs
Summary
In versions prior to 0.185.0, the git clone implementation in the Daytona daemon disabled TLS certificate verification. This allowed attackers to intercept traffic and steal Git credentials.
Risk Assessment
The organization is at risk of having Git credentials intercepted and malicious content injected into repositories, which could lead to serious security breaches.
Recommendation
It is recommended to upgrade to version 0.185.0 or later to restore TLS certificate verification and secure connections.
Original NVD description (English source)
Daytona is a secure and elastic infrastructure runtime for AI-generated code execution and agent workflows. Prior to 0.185.0, the daemon's git clone implementation disabled TLS certificate verification. When a clone request carried Git credentials, the daemon sent the HTTP Basic Authorization header to the remote over a connection whose certificate was never validated, on both the go-git and native git CLI code paths. An attacker able to intercept clone traffic could present any TLS certificate, capture the Git credentials supplied for the clone, and serve tampered repository content into the sandbox. This vulnerability is fixed in 0.185.0.

