CVE-2026-54323

MEDIUM 5.9

Daytona: Git credential leak via git clone with TLS verification disabled

CVSS Score

5.9

EPSS Score

0.0%

EPSS Percentile

0th

Daytona is a secure and elastic infrastructure runtime for AI-generated code execution and agent workflows. Prior to 0.185.0, the daemon's git clone implementation disabled TLS certificate verification. When a clone request carried Git credentials, the daemon sent the HTTP Basic Authorization header to the remote over a connection whose certificate was never validated, on both the go-git and native git CLI code paths. An attacker able to intercept clone traffic could present any TLS certificate, capture the Git credentials supplied for the clone, and serve tampered repository content into the sandbox. This vulnerability is fixed in 0.185.0.

CWE	CWE-295
Vendor	daytonaio
Product	daytona
Published	Jun 23, 2026

Stay Ahead of the Next One

Get instant alerts for daytonaio daytona

Be the first to know when new medium vulnerabilities affecting daytonaio daytona are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

None

Affected Versions

daytonaio / daytona

< 0.185.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/daytonaio/daytona/security/advisories/GHSA-375h-72g4-hc9c