Skip to main content

Daytona CVE-2026-54319

| EUVDEUVD-2026-38564 MEDIUM
Improper Input Validation (CWE-20)
2026-06-18 https://github.com/daytonaio/daytona GHSA-fjv8-j4p5-cr9m
4.2
CVSS 3.1 · Vendor: https://github.com/daytonaio/daytona
Share

Severity by source

Vendor (https://github.com/daytonaio/daytona) PRIMARY
4.2 MEDIUM
AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
vuln.today AI
4.2 MEDIUM

PR:L for required authentication, AC:H for structural inexploitability on released builds due to UUID validation; no availability impact applies.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/daytonaio/daytona).

CVSS VectorVendor: https://github.com/daytonaio/daytona

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 18, 2026 - 18:01 vuln.today
Analysis Generated
Jun 18, 2026 - 18:01 vuln.today

DescriptionCVE.org

Summary

A sandbox volume reference (volumeId, which may also be a volume name) was forwarded to the runner and used to build the host bind-mount source path without confinement. A reference containing path-traversal sequences could in principle resolve the mount source outside the intended per-volume base directory.

Impact

Had the traversal been reachable, an authenticated user could have caused the runner to bind-mount an unintended host path into their sandbox, with a worst-case impact of read and write access to other tenants' volume data (per-volume FUSE mounts are world-readable and writable).

Important: this path was not exploitable in any released version. A volume reference is validated against the database before it reaches the runner, and the volume id column is a UUID type, so a reference containing traversal sequences is rejected at validation time and the request fails before any mount is constructed. We could not reproduce cross-tenant access or an out-of-base host mount on a released build; the observable effect of the documented payload was a server-side validation error. Severity is assessed as Medium on that basis.

Patches

Fixed in v0.186.0. Volume references are now resolved to the canonical volume UUID server-side before reaching the runner, so a name can never flow downstream as a path component, and the runner confines the mount source to the volume base directory and rejects any non-UUID reference.

Workarounds

Upgrade to v0.186.0 or later. No configuration workaround is required for released versions, which were not exploitable.

Credit

Reported by @vnth4nhnt from CyStack.

AnalysisAI

Path traversal in Daytona's sandbox volume mount handling (versions <= 0.185.0) allowed a crafted volume reference containing traversal sequences to theoretically resolve the runner's bind-mount source path outside the intended per-volume base directory, with a worst-case impact of cross-tenant read/write access to other tenants' FUSE-mounted volume data. Critically, the vendor confirmed the vulnerability was NOT exploitable in any released version: volume references pass through UUID-type database validation before reaching the runner, structurally rejecting traversal payloads and producing a server-side validation error instead of an unintended mount. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to Daytona platform
Delivery
Craft volume reference embedding path-traversal sequences
Exploit
Submit sandbox volume mount request via API
Execution
Traversal payload bypasses runner path confinement
Persist
Runner constructs bind-mount source outside volume base directory
Impact
Read/write access to other tenant FUSE-mounted volume data

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated Daytona user account (CVSS PR:L) with permission to create or reference sandbox volumes. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 4.2 (Medium) encodes network attack vector (AV:N), high complexity (AC:H), low-privilege authentication (PR:L), no user interaction (UI:N), unchanged scope (S:U), and limited confidentiality and integrity impact (C:L/I:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated Daytona user submits a sandbox volume mount request with a volumeId or volume name containing path-traversal sequences (e.g., a name like '../../sensitive-tenant-volume') targeting the runner's bind-mount path construction. On all released versions <= 0.185.0, the database validation layer rejects the non-UUID reference before it reaches the runner, returning a server-side validation error and constructing no mount - the attack terminates at input validation. …
Remediation Upgrade Daytona to v0.186.0 or later, which is the vendor-confirmed patched release per GHSA-fjv8-j4p5-cr9m (https://github.com/daytonaio/daytona/security/advisories/GHSA-fjv8-j4p5-cr9m). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2012-0217 HIGH POC
7.2 Jun 12

The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and

CVE-2026-33309 CRITICAL POC
9.9 Mar 19

An authenticated path traversal vulnerability in Langflow's file upload functionality allows attackers to write arbitrar

CVE-2019-7304 CRITICAL POC
9.8 Apr 23

Canonical snapd before version 2.37.1 incorrectly performed socket owner validation, allowing an attacker to run arbitra

CVE-2026-33186 CRITICAL POC
9.1 Mar 18

An authorization bypass vulnerability in gRPC-Go allows attackers to circumvent path-based access control by sending HTT

CVE-2026-50180 HIGH POC
8.7 Jul 02

Arbitrary file read in Langroid's SQLChatAgent (<= 0.63.0) lets an attacker who can influence the LLM-generated SQL exfi

CVE-2020-14966 HIGH POC
7.5 Jun 22

An issue was discovered in the jsrsasign package through 8.0.18 for Node.js. Rated high severity (CVSS 7.5), this vulner

CVE-2020-13822 HIGH POC
7.7 Jun 04

The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' byte

CVE-2026-29181 HIGH POC
7.5 Apr 07

Resource exhaustion in OpenTelemetry Go propagation library (v1.41.0 and earlier) enables remote attackers to trigger se

CVE-2019-7303 HIGH POC
7.5 Apr 23

A vulnerability in the seccomp filters of Canonical snapd before version 2.37.4 allows a strict mode snap to insert char

CVE-2014-4699 MEDIUM POC
6.9 Jul 09

The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved

CVE-2017-7725 MEDIUM POC
6.1 Apr 13

concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "ca

CVE-2026-48816 MEDIUM POC
6.5 Jul 01

Timestamp forgery in sigstore-js allows an attacker supplying a crafted bundle v0.2 to manipulate certificate validity w

Share

CVE-2026-54319 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy