Severity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
PR:L for required authentication, AC:H for structural inexploitability on released builds due to UUID validation; no availability impact applies.
Primary rating from Vendor (https://github.com/daytonaio/daytona).
CVSS VectorVendor: https://github.com/daytonaio/daytona
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
Summary
A sandbox volume reference (volumeId, which may also be a volume name) was forwarded to the runner and used to build the host bind-mount source path without confinement. A reference containing path-traversal sequences could in principle resolve the mount source outside the intended per-volume base directory.
Impact
Had the traversal been reachable, an authenticated user could have caused the runner to bind-mount an unintended host path into their sandbox, with a worst-case impact of read and write access to other tenants' volume data (per-volume FUSE mounts are world-readable and writable).
Important: this path was not exploitable in any released version. A volume reference is validated against the database before it reaches the runner, and the volume id column is a UUID type, so a reference containing traversal sequences is rejected at validation time and the request fails before any mount is constructed. We could not reproduce cross-tenant access or an out-of-base host mount on a released build; the observable effect of the documented payload was a server-side validation error. Severity is assessed as Medium on that basis.
Patches
Fixed in v0.186.0. Volume references are now resolved to the canonical volume UUID server-side before reaching the runner, so a name can never flow downstream as a path component, and the runner confines the mount source to the volume base directory and rejects any non-UUID reference.
Workarounds
Upgrade to v0.186.0 or later. No configuration workaround is required for released versions, which were not exploitable.
Credit
Reported by @vnth4nhnt from CyStack.
AnalysisAI
Path traversal in Daytona's sandbox volume mount handling (versions <= 0.185.0) allowed a crafted volume reference containing traversal sequences to theoretically resolve the runner's bind-mount source path outside the intended per-volume base directory, with a worst-case impact of cross-tenant read/write access to other tenants' FUSE-mounted volume data. Critically, the vendor confirmed the vulnerability was NOT exploitable in any released version: volume references pass through UUID-type database validation before reaching the runner, structurally rejecting traversal payloads and producing a server-side validation error instead of an unintended mount. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated Daytona user account (CVSS PR:L) with permission to create or reference sandbox volumes. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 4.2 (Medium) encodes network attack vector (AV:N), high complexity (AC:H), low-privilege authentication (PR:L), no user interaction (UI:N), unchanged scope (S:U), and limited confidentiality and integrity impact (C:L/I:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated Daytona user submits a sandbox volume mount request with a volumeId or volume name containing path-traversal sequences (e.g., a name like '../../sensitive-tenant-volume') targeting the runner's bind-mount path construction. On all released versions <= 0.185.0, the database validation layer rejects the non-UUID reference before it reaches the runner, returning a server-side validation error and constructing no mount - the attack terminates at input validation. … |
| Remediation | Upgrade Daytona to v0.186.0 or later, which is the vendor-confirmed patched release per GHSA-fjv8-j4p5-cr9m (https://github.com/daytonaio/daytona/security/advisories/GHSA-fjv8-j4p5-cr9m). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and
An authenticated path traversal vulnerability in Langflow's file upload functionality allows attackers to write arbitrar
Canonical snapd before version 2.37.1 incorrectly performed socket owner validation, allowing an attacker to run arbitra
An authorization bypass vulnerability in gRPC-Go allows attackers to circumvent path-based access control by sending HTT
Arbitrary file read in Langroid's SQLChatAgent (<= 0.63.0) lets an attacker who can influence the LLM-generated SQL exfi
An issue was discovered in the jsrsasign package through 8.0.18 for Node.js. Rated high severity (CVSS 7.5), this vulner
The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' byte
Resource exhaustion in OpenTelemetry Go propagation library (v1.41.0 and earlier) enables remote attackers to trigger se
A vulnerability in the seccomp filters of Canonical snapd before version 2.37.4 allows a strict mode snap to insert char
The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved
concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "ca
Timestamp forgery in sigstore-js allows an attacker supplying a crafted bundle v0.2 to manipulate certificate validity w
Same weakness CWE-20 – Improper Input Validation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38564
GHSA-fjv8-j4p5-cr9m