Path Traversal Vulnerability in Daytona Infrastructure Runtime by Daytona AI
CVE-2026-54319

4.2MEDIUM

Key Information:

Vendor: Daytonaio
Status: Daytona
Vendor: CVE Published:; 23 June 2026

What is CVE-2026-54319?

Daytona, a secure infrastructure runtime utilized for executing AI-generated code and managing agent workflows, contains a vulnerability that could allow an attacker to exploit path-traversal sequences. Prior to version 0.186, a flaw existed whereby a sandbox volume reference, specifically the volumeId, could be manipulated. This flaw allowed the construction of a host bind-mount source path without appropriate confinement measures, potentially leading to access outside the designated per-volume base directory. This issue has been effectively addressed in version 0.186.

Affected Version(s)

daytona < 0.186

References

https://github.com/daytonaio/daytona/security/advisories/...

x_refsource_CONFIRM

CVSS V3.1

Score:

4.2

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 23, 2026
Vulnerability Reserved
Jun 12, 2026

CVE-2026-54319 Data

JSON

Daytonaio

What is CVE-2026-54319?

Affected Version(s)

References

CVSS V3.1

Timeline