CVE Catalog

CVE-2026-54321

HighCVSS 7.0
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.25%

16th percentile — higher than 16% of all known CVEs

Summary

In versions from 0.101.0 to 0.184.0, sandboxes switched from public to private could remain accessible without authentication for a short period after the change, due to a cached visibility state that was not invalidated.

Risk Assessment

Organizations may be exposed to unauthorized access to private sandboxes, potentially leading to data leaks or unauthorized code execution.

Recommendation

It is recommended to upgrade to version 0.184.0 or later to mitigate this vulnerability and to monitor access to sandboxes.

Original NVD description (English source)

Daytona is a secure and elastic infrastructure runtime for AI-generated code execution and agent workflows. From 0.101.0 until 0.184.0, sandbox previews that were switched from public to private could remain reachable without authentication for a short period after the change, due to a cached visibility state that was not invalidated when the sandbox's visibility changed. This vulnerability is fixed in 0.184.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS