Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Network-accessible WebSocket endpoint; PR:L because valid JWT required; C:H for cross-tenant event data exposure; no integrity or availability impact.
Primary rating from Vendor (https://github.com/daytonaio/daytona).
CVSS VectorVendor: https://github.com/daytonaio/daytona
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
Summary
A cross-tenant authorization flaw in Daytona's notification WebSocket gateway allowed any authenticated user to subscribe to another organization's realtime notification channel and passively receive that organization's events.
Impact
The notification gateway's JWT handshake joined a client-supplied organization identifier to the corresponding notification room without verifying that the authenticated user was a member of that organization. As a result, an authenticated user could receive another organization's realtime sandbox, snapshot, volume, and runner events, including data carried in those events. This is a cross-tenant confidentiality break. It required a valid account and knowledge of the target organization id (a non-secret UUID); no elevated privileges were needed. The API-key authentication path was not affected.
The affected component is the Daytona API service (the apps/api NestJS application). It is distributed through Daytona's repository releases and container images for self-hosted deployments; it is not published as a Go or npm package, so the advisory will not surface through go get or npm dependency tooling.
Affected Versions
>= 0.101.0, <= 0.184.0
Patched Versions
0.185.0
Credit
@vnth4nhnt from CyStack
AnalysisAI
Cross-tenant confidentiality breach in Daytona's notification WebSocket gateway (versions 0.101.0 through 0.184.0) allows any JWT-authenticated user to passively receive realtime event data belonging to a different organization by supplying an arbitrary organization UUID during the WebSocket handshake. The gateway's JWT authentication flow accepted the client-supplied organizationId and joined the corresponding notification room without verifying organizational membership, exposing sandbox, snapshot, volume, and runner events across tenant boundaries. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid Daytona account authenticated via JWT (the API-key authentication path is explicitly unaffected and not exploitable through this vector). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-supplied CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, score 6.5) is well-calibrated for this vulnerability: network-accessible, low complexity, requiring only a standard authenticated account (PR:L) with no user interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated Daytona user discovers or enumerates a target organization's UUID through API responses, shared infrastructure context, or administrative disclosure. The attacker opens a WebSocket connection to the Daytona notification gateway using their own valid JWT, supplying the victim organization's UUID as the room identifier during the handshake. … |
| Remediation | Upgrade to Daytona 0.185.0, which introduces server-side organizational membership validation during the WebSocket JWT handshake, preventing unauthorized cross-tenant room subscriptions. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote
Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t
Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete
Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc
An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner
Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi
Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin
The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic
Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat
The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38562
GHSA-qwxf-2m7m-2m3x