CVE-2026-54322
Deferred Deferred - Pending Action
Privilege Escalation in Daytona Infrastructure Runtime

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: GitHub, Inc.

Description
Daytona is a secure and elastic infrastructure runtime for AI-generated code execution and agent workflows. Prior to 0.185.0, Daytona's organization role update and delete endpoints authorized the caller as an owner of the organization named in the request path, but resolved and mutated the target role by its identifier alone, without verifying the role belonged to that organization. An authenticated user who owns any organization (organizations are self-service) could therefore modify the permissions of, or delete, a role belonging to a different organization, given that role's identifier. This vulnerability is fixed in 0.185.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-24
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-54322
EUVD
EUVD-2026-38563
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
daytonaio daytona to 0.185.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows an authenticated user to modify or delete roles belonging to other organizations without proper authorization checks, leading to unauthorized access and privilege escalation across organizations.

Such unauthorized access and privilege escalation can result in improper handling or exposure of sensitive data, which may violate compliance requirements under standards like GDPR and HIPAA that mandate strict access controls and data protection.

Therefore, this vulnerability could negatively impact compliance with these regulations by enabling unauthorized data access and modification through compromised role permissions.

Executive Summary

CVE-2026-54322 is an Insecure Direct Object Reference (IDOR) vulnerability in Daytona's organization role update and delete endpoints. It allowed any authenticated user who owned an organization to modify or delete roles belonging to other organizations by using role identifiers without proper authorization checks.

This happened because the system authorized the caller as an owner of the organization named in the request path but resolved and mutated the target role only by its identifier, without verifying that the role actually belonged to that organization.

The vulnerability affected multi-tenant deployments and was fixed in version 0.185.0 by scoping role operations to the caller's organization.

Impact Analysis

This vulnerability can lead to privilege escalation, privilege stripping, or role deletion in victim organizations within a multi-tenant Daytona deployment.

An attacker who owns any organization could modify permissions or delete roles in other organizations, potentially disrupting access controls and security policies.

Exploitation requires knowledge of the target role's identifier, which is not exposed to non-members, and the attacker must be authenticated with ownership of at least one organization.

Detection Guidance

Detection of this vulnerability involves verifying whether unauthorized role update or delete requests are being made across organizations by authenticated users. Since exploitation requires knowledge of role identifiers, monitoring API calls to the organization role update and delete endpoints for suspicious cross-organization access attempts is recommended.

Specific commands are not provided in the available resources, but network or application logs should be inspected for API requests to endpoints related to organization role updates or deletions where the authenticated user does not belong to the target organization.

Mitigation Strategies

The immediate mitigation step is to upgrade Daytona to version 0.185.0 or later, where the vulnerability is fixed by scoping role operations to the caller's organization.

Until the upgrade can be performed, restrict access to the organization role update and delete endpoints to trusted users only, and monitor for any unauthorized role modification or deletion attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54322. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart