Daytona: Cross-tenant data leak in notification WebSocket gateway via unverified organizationId join

Summary A cross-tenant authorization flaw in Daytona's notification WebSocket gateway allowed any authenticated user to subscribe to another organization's realtime notification channel and passively receive that organization's events. Impact The notification gateway's JWT handshake joined a...

CVE-2024-13626

creationtimestamp| type| source ---|---|--- 2025-02-17 06:02:43+00:00| seen| https://infosec.exchange/users/cve/statuses/114017708471446669 2025-02-17 06:15:46+00:00| seen| https://bsky.app/profile/cve-notifications.bsky.social/post/3lie3uaywwa2t 2025-02-17 08:11:01+00:00| seen|...