CVE-2026-54320
Deferred Deferred - Pending Action
Improper Email Verification in Daytona Allows Unauthorized Organization Access

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: GitHub, Inc.

Description
Daytona is a secure and elastic infrastructure runtime for AI-generated code execution and agent workflows. Prior to 0.184.0, organization invitations could be accepted (and declined) by a user whose email matched the invitation but had not been verified. Daytona authenticates users via OIDC and matches an invitation's target email against the email in the caller's token, but the invitation accept and decline paths did not require that email to be verified, unlike organization creation, which already enforced verification. On identity providers that allow self-service signup and issue a session before the email is verified, an actor could register an address matching a pending invitation, leave it unverified, and accept the invitation, joining the target organization with the role the invitation carried (up to Owner). This vulnerability is fixed in 0.184.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-24
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-54320
EUVD
EUVD-2026-38566
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
daytonaio daytona to 0.184.0 (exc)
daytonaio daytona 0.184.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-54320 is a high-severity vulnerability in Daytona versions 0.183.0 and earlier that allows an attacker to accept or decline organization invitations using an unverified email address.

Daytona authenticates users via OIDC and matches the invitation's target email against the email in the caller's token, but the invitation accept and decline endpoints did not require the email to be verified, unlike organization creation which enforced verification.

An attacker could register an email address matching a pending invitation without verifying it, then accept the invitation to join the target organization with the role specified in the invitation, including high-privilege roles such as Owner.

Impact Analysis

This vulnerability can lead to unauthorized access to an organization's resources by allowing an attacker to join the organization with the role assigned in the invitation, potentially up to Owner.

With such access, the attacker could manage sandbox configurations, membership, and other sensitive organizational settings, compromising confidentiality, integrity, and availability.

Detection Guidance

Detection of this vulnerability involves identifying whether unverified email addresses have been used to accept or decline organization invitations in Daytona versions 0.183.0 and earlier.

Since the vulnerability exploits the acceptance of invitations without email verification, you can audit your organization's invitation logs or API access logs to check for invitation accept or decline actions performed by users whose emails are not verified.

There are no specific commands provided in the available resources to detect this vulnerability directly.

Mitigation Strategies

The primary mitigation is to upgrade Daytona to version 0.184.0 or later, where the invitation accept and decline endpoints require verified emails.

As a temporary workaround before upgrading, ensure that your identity provider does not issue usable sessions for unverified email addresses, preventing attackers from accepting invitations without email verification.

Compliance Impact

This vulnerability allows an attacker to join an organization with an unverified email and gain access to sensitive organizational resources, including sandbox configuration and membership management.

Such unauthorized access and improper authentication could lead to violations of data protection and privacy regulations like GDPR and HIPAA, which require strict controls over user identity verification and access to sensitive data.

Therefore, exploitation of this vulnerability may compromise compliance with these standards by allowing unauthorized users to access and potentially manipulate protected information.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54320. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart