Daytona, a secure and elastic infrastructure runtime designed for AI‑generated code execution and agent workflows, allows users to join organizations through invitation emails. Prior to version 0.184.0, the platform accepted or declined an invitation if the caller’s email matched the target email in the invitation, even if that email had not been verified through the identity provider. Daytona authenticates users via OIDC and compares the invitation target email against the email in the caller’s token, but the accept and decline paths did not enforce verification, unlike organization creation which required it. An attacker who registers an unverified email that matches a pending invitation—possible on identity providers that issue a session before verification—can trigger the accept flow and become a member of the target organization with the role attached to the invitation, potentially up to Owner. This gives the attacker full control over the organization. The issue is patched in Daytona 0.184.0.

Daytona by daytonaio, affecting all releases earlier than version 0.184.0. The issue exists in the invitation acceptance and decline flows of the Daytona platform.

With a CVSS score of 8.4 the vulnerability is classified as high severity. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, but the attack path is straightforward: an actor uses an identity provider that issues a session before email verification, registers a matching unverified email, and accepts the invitation. This grants them the privileges specified in the invitation, potentially up to Owner, thereby bypassing authorization controls (CWE-287 and CWE-863).