These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2026-54322 is a vulnerability in Daytona's organization role update and delete endpoints. Prior to version 0.185.0, these endpoints authorized callers as owners of the organization specified in the request path. However, they resolved and mutated target roles by their identifiers alone, without verifying if the roles belonged to that organization. This flaw allowed an authenticated user who owns any o [truncated]
CVE-2026-54320 is a HIGH-severity vulnerability in Daytona, a secure and elastic infrastructure runtime for AI-generated code execution and agent workflows. Prior to version 0.184.0, organization invitations could be accepted by users with matching but unverified emails. This issue arises because Daytona authenticates users via OIDC and checks the email in the caller's token against the invitation's targe [truncated]
CVE-2026-54319 is a vulnerability in Daytona, a secure and elastic infrastructure runtime for AI-generated code execution and agent workflows. Prior to version 0.186, a sandbox volume reference could be used to build a host bind-mount source path without confinement, potentially allowing path-traversal attacks. The vulnerability has a CVSS score of 4.2 and is classified as MEDIUM severity. It was publishe [truncated]
CVE-2026-54323 is a MEDIUM severity vulnerability in Daytona, a secure and elastic infrastructure runtime for AI-generated code execution and agent workflows. Prior to version 0.185.0, the daemon's git clone implementation disabled TLS certificate verification. When a clone request carried Git credentials, the daemon sent the HTTP Basic Authorization header to the remote over a connection whose certificat [truncated]