CVE-2026-54324
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk19th percentile — higher than 19% of all known CVEs
Summary
In Daytona, prior to version 0.185.0, there was a cross-tenant authorization flaw in the notification WebSocket gateway that allowed authenticated users to subscribe to another organization's real-time notification channels.
Risk Assessment
This vulnerability allows unauthorized access to another organization's events, potentially leading to the leakage of sensitive information.
Recommendation
It is recommended to upgrade to version 0.185.0 or later to mitigate this vulnerability.
Original NVD description (English source)
Daytona is a secure and elastic infrastructure runtime for AI-generated code execution and agent workflows. Prior to 0.185.0, a cross-tenant authorization flaw in Daytona's notification WebSocket gateway allowed any authenticated user to subscribe to another organization's realtime notification channel and passively receive that organization's events. This vulnerability is fixed in 0.185.0.

