CVE-2026-54322

HIGH 7.7

Daytona: Cross-org IDOR in organization role update/delete — any org owner can rewrite or destroy another org's roles

CVSS Score

7.7

EPSS Score

0.0%

EPSS Percentile

0th

Daytona is a secure and elastic infrastructure runtime for AI-generated code execution and agent workflows. Prior to 0.185.0, Daytona's organization role update and delete endpoints authorized the caller as an owner of the organization named in the request path, but resolved and mutated the target role by its identifier alone, without verifying the role belonged to that organization. An authenticated user who owns any organization (organizations are self-service) could therefore modify the permissions of, or delete, a role belonging to a different organization, given that role's identifier. This vulnerability is fixed in 0.185.0.

CWE	CWE-639 CWE-862
Vendor	daytonaio
Product	daytona
Published	Jun 23, 2026
Last Updated	Jun 23, 2026

Stay Ahead of the Next One

Get instant alerts for daytonaio daytona

Be the first to know when new high vulnerabilities affecting daytonaio daytona are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:L

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

High

Availability

Low

Affected Versions

daytonaio / daytona

< 0.185.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/daytonaio/daytona/security/advisories/GHSA-qxvm-pcfm-qc39