Authentication Bypass in Daytona by DaytonaIO
CVE-2026-54320

8.4HIGH

Key Information:

Vendor: Daytonaio
Status: Daytona
Vendor: CVE Published:; 23 June 2026

What is CVE-2026-54320?

Daytona is known for its robust infrastructure for AI-generated code execution and agent workflows. A vulnerability existed in versions prior to 0.184.0 where users could accept or decline organization invitations without having their email verified. This flaw arose due to the mismatched enforcement of email verification in the invitation handling process compared to organization creation. Attackers could exploit this by registering an email that matched a pending invitation before verification, granting them access to the associated organization's roles, potentially up to Owner. This issue was resolved with the release of version 0.184.0.

Affected Version(s)

daytona < 0.184.0

References

https://github.com/daytonaio/daytona/security/advisories/...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 23, 2026
Vulnerability Reserved
Jun 12, 2026

CVE-2026-54320 Data

JSON

Daytonaio

What is CVE-2026-54320?

Affected Version(s)

References

CVSS V3.1

Timeline