Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L
Network-reachable and unauthenticated (AV:N/PR:N/UI:N) but requires timing race and prior knowledge of a previously-public URL (AC:H); only confidentiality of preview content is affected (C:L, I:N, A:N).
Primary rating from Vendor (https://github.com/daytonaio/daytona).
CVSS VectorVendor: https://github.com/daytonaio/daytona
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Summary
Sandbox previews that were switched from public to private could remain reachable without authentication for a short period after the change, due to a cached visibility state that was not invalidated when the sandbox's visibility changed.
Impact
When a sandbox owner changed a preview from public to private, the preview proxy could continue serving unauthenticated requests to that sandbox's ordinary preview ports for a bounded period before the change took effect. Only sandboxes that had been made public and were later set back to private were affected, and only until the proxy's cached visibility state was refreshed. Terminal, toolbox, and recording-dashboard ports were never affected, as those always require authentication. The issue did not involve cross-tenant access, privilege escalation, or remote code execution.
Patches
Fixed in v0.184.0. Sandbox visibility changes now invalidate the proxy's cached preview state immediately, so revoking a public preview takes effect on the next request.
Workarounds
Upgrade to v0.184.0 or later. There is no configuration workaround for earlier versions.
Credit
Reported through Daytona's Vulnerability Disclosure Program by mrknightnidu(nidalkhan). Linkedin: https://www.linkedin.com/in/mrknight-nidu-031340328/
AnalysisAI
Stale authorization caching in Daytona's preview proxy allows unauthenticated access to sandbox previews for a bounded window after their owner switches visibility from public back to private. The flaw affects versions 0.101.0 through 0.183.0 and is limited to ordinary preview ports - terminal, toolbox, and recording-dashboard ports remained protected. No public exploit identified at time of analysis, and the GitHub advisory tags suggesting RCE/Privilege Escalation contradict the advisory's own impact statement, which explicitly rules both out.
Technical ContextAI
Daytona is an open-source development environment platform (Go package github.com/daytonaio/daytona) that runs user 'sandboxes' and exposes their HTTP preview ports through a proxy. The proxy caches each sandbox's visibility state (public vs. private) to avoid per-request lookups against the control plane. The root cause maps to CWE-613 (Insufficient Session Expiration): when an owner toggled visibility from public to private, the cached 'public' decision continued to authorize anonymous requests until the cache entry naturally expired (per the GHSA title, up to one hour), instead of being invalidated synchronously on the visibility change.
RemediationAI
Vendor-released patch: upgrade to Daytona v0.184.0 or later, in which visibility changes synchronously invalidate the proxy's cached preview state so revocation takes effect on the next request (https://github.com/daytonaio/daytona/security/advisories/GHSA-ww63-pv5x-vfc8). The vendor explicitly states there is no configuration workaround for earlier versions. As compensating controls until upgrade, operators can place the preview proxy behind a network-level allowlist or SSO/identity-aware proxy (this breaks anonymous public-preview sharing, which is the intended feature), or instruct users to delete and recreate sandboxes rather than toggle visibility (this loses sandbox state but guarantees immediate URL change), or shorten the proxy's visibility cache TTL if the deployment exposes that knob (reduces the exposure window at the cost of more control-plane lookups).
Same weakness CWE-613 – Insufficient Session Expiration
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38565
GHSA-ww63-pv5x-vfc8