Impact
Daytona is a secure and elastic infrastructure runtime for AI‑generated code execution and agent workflows. In versions earlier than 0.186, a sandbox volume reference—either a volumeId or a volume name—was passed to the runner and used to construct a host bind‑mount source path without any confinement. An attacker supplying a reference that includes path‑traversal sequences could cause the mount source to resolve outside the designated per‑volume base directory. This allows mounting of arbitrary host paths into the sandbox, exposing sensitive files from other tenants and potentially enabling the attacker to escape the sandbox environment. The weakness corresponds to classic directory traversal and improper privilege escalation flaws (CWE‑22, CWE‑250, CWE‑269). The CVE description does not indicate that remote code execution is possible, but the impact on confidentiality and isolation is significant.
Affected Systems
Daytona by daytonaio. Versions earlier than 0.186 are affected; any deployment using a sandbox volume reference before the 0.186 release is vulnerable.
Risk and Exploitability
The CVSS score is 4.2, giving it a medium severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. Attackers would need to submit a malicious volume reference, likely through an API or UI that accepts sandbox configurations. The resulting sandbox escape provides potential for cross‑tenant data access.
OpenCVE Enrichment
Github GHSA