CVE-2026-54322: Daytona is a secure and elastic infrastructure runtime for AI-generated code execution and agent workflows. Prior to 0.1
highvulnerability
security
Summary
Daytona is a platform for running code created by AI systems in a secure way. Before version 0.185.0, it had a flaw where a user who owned any organization could change or delete roles (permission sets) from a completely different organization if they knew the role's ID, because the system didn't properly verify that the role belonged to the organization being modified.
Solution / Mitigation
This vulnerability is fixed in version 0.185.0.
Vulnerability Details
CVSS Score
7.7(high)
EPSS (30-day exploit probability)
EPSS: 0.0%
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:L
Attack Vector
network
Attack Complexity
high
Privileges Required
low
User Interaction
none
Disclosure Date
June 23, 2026
Classification
Attack Type
Other
Attack SophisticationModerate
Impact (CIA+S)
integrityconfidentiality
Affected Vendors
Related Issues
Monthly digest — independent AI security research
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-54322
First tracked: June 24, 2026 at 02:13 AM
Classified by LLM (prompt v3) · confidence: 85%