CVE-2026-54324
Daytona: Cross-tenant data leak in notification WebSocket gateway via unverified organizationId join
描述
### Summary A cross-tenant authorization flaw in Daytona's notification WebSocket gateway allowed any authenticated user to subscribe to another organization's realtime notification channel and passively receive that organization's events. ### Impact The notification gateway's JWT handshake joined a client-supplied organization identifier to the corresponding notification room without verifying that the authenticated user was a member of that organization. As a result, an authenticated user could receive another organization's realtime sandbox, snapshot, volume, and runner events, including data carried in those events. This is a cross-tenant confidentiality break. It required a valid account and knowledge of the target organization id (a non-secret UUID); no elevated privileges were needed. The API-key authentication path was not affected. The affected component is the Daytona API service (the `apps/api` NestJS application). It is distributed through Daytona's repository releases and container images for self-hosted deployments; it is not published as a Go or npm package, so the advisory will not surface through `go get` or npm dependency tooling. ### Affected Versions >= 0.101.0, <= 0.184.0 ### Patched Versions 0.185.0 ### Credit @vnth4nhnt from CyStack
如何修補 CVE-2026-54324
要修補 CVE-2026-54324,請將受影響套件升級到下列已修補版本。
- —升級至 0.185.0 或更新版本
CVE-2026-54324 正在被利用嗎?
目前沒有被利用訊號。CVE-2026-54324 既不在 CISA KEV 也沒有最新的 EPSS 分數。
受影響套件(1)
- from 0, < 0.185.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |