GHSA-qxvm-pcfm-qc39

Suggest an improvement
Source
https://github.com/advisories/GHSA-qxvm-pcfm-qc39
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-qxvm-pcfm-qc39/GHSA-qxvm-pcfm-qc39.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-qxvm-pcfm-qc39
Aliases
  • CVE-2026-54322
Published
2026-06-16T21:30:08Z
Modified
2026-06-16T21:45:21.192480512Z
Severity
  • 7.7 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:L CVSS Calculator
Summary
Daytona: Cross-org IDOR in organization role update/delete — any org owner can rewrite or destroy another org's roles
Details

Summary

Daytona's organization role update and delete endpoints authorized the caller as an owner of the organization named in the request path, but resolved and mutated the target role by its identifier alone, without verifying the role belonged to that organization. An authenticated user who owns any organization (organizations are self-service) could therefore modify the permissions of, or delete, a role belonging to a different organization, given that role's identifier.

Impact

This is a cross-tenant broken access control (IDOR) issue affecting multi-tenant deployments, including the managed Daytona platform. Using a target role's identifier, an attacker with owner rights over their own organization could:

  • Overwrite the target role's name and permission set, escalating or stripping privileges for every member and API key in the victim organization that holds that role.
  • Delete the target role, removing the associated permissions from its holders.
  • Observe the victim role's current permission set returned in the update response (limited information disclosure).

Exploitation requires knowledge of the target role's identifier, which is not enumerable across organizations and is not exposed to non-members through the API.

Affected versions

All versions up to and including 0.184.0.

Patches

Fixed in 0.185.0. The role update, delete, and role-assignment lookups are now scoped to the caller's organization, so a role belonging to another organization resolves to "not found" before any read or mutation. The managed Daytona platform was updated on release of 0.185.0.

Workarounds

None. Upgrade to 0.185.0. Single-organization self-hosted deployments are not exploitable, as the issue requires a second organization to target.

Credit

Reported by @vnth4nhnt.

Database specific 
{
    "nvd_published_at": null,
    "github_reviewed_at": "2026-06-16T21:30:08Z",
    "github_reviewed": true,
    "severity": "HIGH",
    "cwe_ids": [
        "CWE-639",
        "CWE-862"
    ]
}
References

Affected packages

Go / github.com/daytonaio/daytona

Package

Name
github.com/daytonaio/daytona
View open source insights on deps.dev
Purl
pkg:golang/github.com/daytonaio/daytona

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.185.0

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-qxvm-pcfm-qc39/GHSA-qxvm-pcfm-qc39.json"
last_known_affected_version_range 
"<= 0.184.0"