Daytona, a secure and elastic infrastructure runtime for AI‑generated code execution and agent workflows, performs git clone operations. In versions before 0.185.0, the daemon’s implementation disabled TLS certificate verification. When a clone request includes Git credentials, the daemon transmits the HTTP Basic Authorization header to the remote host over a connection that does not validate the TLS certificate, affecting both the go‑git and native git CLI code paths. An attacker who can intercept clone traffic can present a fraudulent TLS certificate, capture the supplied Git credentials, and serve tampered repository content into the sandbox. The vulnerability is fixed in 0.185.0 and exposes credentials to an adversary capable of network eavesdropping.

The vulnerability affects Daytona installations produced by DaytonaIO. All versions earlier than 0.185.0 are susceptible when performing git clone operations that include HTTP Basic credentials. Versions 0.185.0 and later contain the fix.

With a CVSS score of 5.9, the risk level is moderate. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog, indicating limited observed exploitation. The likely attack vector is a man‑in‑the‑middle that intercepts clone traffic; no special privileges or additional conditions are required beyond the ability to observe the network to the Daytona daemon. Once credentials are captured, an attacker can gain unauthorized access to any repositories negotiated with those credentials and potentially upload malicious code into the sandbox environment.