CVE-2026-54321

Summary

Daytona is a secure and elastic infrastructure runtime for AI-generated code execution and agent workflows. From 0.101.0 until 0.184.0, sandbox previews that were switched from public to private could remain reachable without authentication for a short period after the change, due to a cached visibility state that was not invalidated when the sandbox's visibility changed. This vulnerability is fixed in 0.184.0.

Affected Software

VendorProductVersion RangeStatus
daytonaiodaytona>= 0.101.0, < 0.184.0affected

Weaknesses

  • CWE-613: CWE-613: Insufficient Session Expiration
  • CWE-863: CWE-863: Incorrect Authorization

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References