CVE Catalog

CVE-2026-54323

MediumCVSS 5.9
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.12%

2th percentile — higher than 2% of all known CVEs

Summary

In versions prior to 0.185.0, the git clone implementation in the Daytona daemon disabled TLS certificate verification. This allowed attackers to intercept traffic and steal Git credentials.

Risk Assessment

The organization is at risk of having Git credentials intercepted and malicious content injected into repositories, which could lead to serious security breaches.

Recommendation

It is recommended to upgrade to version 0.185.0 or later to restore TLS certificate verification and secure connections.

Original NVD description (English source)

Daytona is a secure and elastic infrastructure runtime for AI-generated code execution and agent workflows. Prior to 0.185.0, the daemon's git clone implementation disabled TLS certificate verification. When a clone request carried Git credentials, the daemon sent the HTTP Basic Authorization header to the remote over a connection whose certificate was never validated, on both the go-git and native git CLI code paths. An attacker able to intercept clone traffic could present any TLS certificate, capture the Git credentials supplied for the clone, and serve tampered repository content into the sandbox. This vulnerability is fixed in 0.185.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS