PatchSiren cyber security CVE debrief
CVE-2026-54322 daytonaio CVE debrief
CVE-2026-54322 is a vulnerability in Daytona's organization role update and delete endpoints. Prior to version 0.185.0, these endpoints authorized callers as owners of the organization specified in the request path. However, they resolved and mutated target roles by their identifiers alone, without verifying if the roles belonged to that organization. This flaw allowed an authenticated user who owns any organization to modify permissions or delete a role from a different organization, given that role's identifier. The vulnerability was fixed in version 0.185.0. This issue highlights the importance of robust access control and role management in secure infrastructure runtimes for AI-generated code execution and agent workflows.
- Vendor
- daytonaio
- Product
- daytona
- CVSS
- HIGH 7.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-23
- Original CVE updated
- 2026-06-23
- Advisory published
- 2026-06-23
- Advisory updated
- 2026-06-23
Who should care
Security teams and administrators responsible for managing organizations and roles within Daytona should be aware of this vulnerability. Given the high CVSS score of 7.7, organizations using Daytona prior to version 0.185.0 should prioritize patching to prevent potential exploitation. Additionally, users with the ability to create organizations or manage roles should be cautious of the potential for role manipulation across different organizations.
Technical summary
The vulnerability in Daytona's organization role update and delete endpoints stems from insufficient validation of role ownership. When updating or deleting a role, the endpoints only verified if the caller was an owner of the organization specified in the request path. However, they did not check if the target role actually belonged to that organization, relying solely on the role's identifier. This oversight enabled an authenticated user with ownership in any organization to manipulate roles in other organizations, provided they knew the role identifiers. The fix in version 0.185.0 likely involves adding an additional check to ensure the target role belongs to the organization specified in the request.
Defensive priority
High priority should be given to patching Daytona installations to version 0.185.0 or later. In the meantime, defenders should closely monitor role management activities and consider implementing additional access controls or compensating controls to mitigate the risk of role manipulation across organizations.
Recommended defensive actions
- Patch Daytona to version 0.185.0 or later immediately.
- Review and audit role management activities for suspicious changes.
- Implement additional access controls to restrict role updates and deletions.
- Monitor for potential exploitation attempts.
- Conduct a thorough inventory of organizations and roles within Daytona.
Evidence notes
The CVE and NVD provide official details on the vulnerability. The source item from nvd_modified offers additional context. A reference from [email protected] provides further information on the vulnerability.
Official resources
-
CVE-2026-54322 CVE record
CVE.org
-
CVE-2026-54322 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
This article was generated with AI assistance based on the supplied source corpus.