Description
Daytona is a secure and elastic infrastructure runtime for AI-generated code execution and agent workflows. Prior to 0.186, a sandbox volume reference (volumeId, which may also be a volume name) was forwarded to the runner and used to build the host bind-mount source path without confinement. A reference containing path-traversal sequences could in principle resolve the mount source outside the intended per-volume base directory. This vulnerability is fixed in 0.186.
Published: 2026-06-23
Score: 4.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Daytona is a secure and elastic infrastructure runtime for AI‑generated code execution and agent workflows. In versions earlier than 0.186, a sandbox volume reference—either a volumeId or a volume name—was passed to the runner and used to construct a host bind‑mount source path without any confinement. An attacker supplying a reference that includes path‑traversal sequences could cause the mount source to resolve outside the designated per‑volume base directory. This allows mounting of arbitrary host paths into the sandbox, exposing sensitive files from other tenants and potentially enabling the attacker to escape the sandbox environment. The weakness corresponds to classic directory traversal and improper privilege escalation flaws (CWE‑22, CWE‑250, CWE‑269). The CVE description does not indicate that remote code execution is possible, but the impact on confidentiality and isolation is significant.

Affected Systems

Daytona by daytonaio. Versions earlier than 0.186 are affected; any deployment using a sandbox volume reference before the 0.186 release is vulnerable.

Risk and Exploitability

The CVSS score is 4.2, giving it a medium severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. Attackers would need to submit a malicious volume reference, likely through an API or UI that accepts sandbox configurations. The resulting sandbox escape provides potential for cross‑tenant data access.

Generated by OpenCVE AI on June 24, 2026 at 10:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Daytona to version 0.186 or newer, which implements confinement of volume mount paths.
  • If an upgrade is not immediately possible, validate or sanitize any sandbox volume identifiers to reject path‑traversal sequences before they reach the runner process.
  • Apply the official fix or patch from daytonaio, upgrading to version 0.186 or later.

Generated by OpenCVE AI on June 24, 2026 at 10:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-fjv8-j4p5-cr9m Daytona: Path traversal in sandbox volume id mounts arbitrary host paths into the sandbox — cross-tenant data access and host escape
History

Wed, 24 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Daytonaio
Daytonaio daytona
Vendors & Products Daytonaio
Daytonaio daytona

Wed, 24 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 23 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description Daytona is a secure and elastic infrastructure runtime for AI-generated code execution and agent workflows. Prior to 0.186, a sandbox volume reference (volumeId, which may also be a volume name) was forwarded to the runner and used to build the host bind-mount source path without confinement. A reference containing path-traversal sequences could in principle resolve the mount source outside the intended per-volume base directory. This vulnerability is fixed in 0.186.
Title Daytona: Path traversal in sandbox volume id mounts arbitrary host paths into the sandbox — cross-tenant data access and host escape
Weaknesses CWE-22
CWE-250
CWE-269
References
Metrics cvssV3_1

{'score': 4.2, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N'}


Subscriptions

Daytonaio Daytona
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-24T13:36:34.403Z

Reserved: 2026-06-12T18:42:02.223Z

Link: CVE-2026-54319

cve-icon Vulnrichment

Updated: 2026-06-24T13:36:31.284Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T16:05:50Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

  • CWE-250

    Execution with Unnecessary Privileges

  • CWE-269

    Improper Privilege Management