Daytona is a secure and elastic infrastructure runtime for AI‑generated code execution and agent workflows that contains a cross‑organization Insecure Direct Object Reference. The organization role update and delete endpoints authorize the caller only as an owner of the organization named in the request path, while resolving the target role solely by its identifier without verifying that the role belongs to that organization. Because organizations are self‑service, any authenticated user who owns an organization can, by supplying another organization’s role identifier, modify the permissions of or delete that role. This flaw compromises the integrity of access controls and was fixed in Daytona 0.185.0.

The affected product is Daytona by Daytona (daytonaio:daytona). Versions prior to 0.185.0 are vulnerable; the issue is addressed in release 0.185.0 and later. No specific sub‑components are enumerated beyond the organization role update and delete endpoints.

The CVSS score of 7.7 indicates high severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Although the attack requires authenticated access, it only requires ownership of any organization, which can be common in an open, self‑service environment. Once a malicious organization owner obtains a role identifier from another organization, they can use it to modify or remove that role without further authentication checks, making exploitation straightforward for the attacker but limited to users with any organization ownership privileges.