GHSA-qwxf-2m7m-2m3x

Suggest an improvement
Source
https://github.com/advisories/GHSA-qwxf-2m7m-2m3x
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-qwxf-2m7m-2m3x/GHSA-qwxf-2m7m-2m3x.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-qwxf-2m7m-2m3x
Aliases
  • CVE-2026-54324
Published
2026-06-17T18:07:30Z
Modified
2026-06-17T18:15:11.369871947Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Daytona: Cross-tenant data leak in notification WebSocket gateway via unverified organizationId join
Details

Summary

A cross-tenant authorization flaw in Daytona's notification WebSocket gateway allowed any authenticated user to subscribe to another organization's realtime notification channel and passively receive that organization's events.

Impact

The notification gateway's JWT handshake joined a client-supplied organization identifier to the corresponding notification room without verifying that the authenticated user was a member of that organization. As a result, an authenticated user could receive another organization's realtime sandbox, snapshot, volume, and runner events, including data carried in those events. This is a cross-tenant confidentiality break. It required a valid account and knowledge of the target organization id (a non-secret UUID); no elevated privileges were needed. The API-key authentication path was not affected.

The affected component is the Daytona API service (the apps/api NestJS application). It is distributed through Daytona's repository releases and container images for self-hosted deployments; it is not published as a Go or npm package, so the advisory will not surface through go get or npm dependency tooling.

Affected Versions

= 0.101.0, <= 0.184.0

Patched Versions

0.185.0

Credit

@vnth4nhnt from CyStack

Database specific 
{
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-17T18:07:30Z",
    "nvd_published_at": null,
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-639",
        "CWE-863"
    ]
}
References

Affected packages

Go / github.com/daytonaio/daytona

Package

Name
github.com/daytonaio/daytona
View open source insights on deps.dev
Purl
pkg:golang/github.com/daytonaio/daytona

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.185.0

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-qwxf-2m7m-2m3x/GHSA-qwxf-2m7m-2m3x.json"
last_known_affected_version_range 
"<= 0.184.0"