3 matches found
CVE-2026-54324 Daytona: Cross-tenant data leak in notification WebSocket gateway via unverified organizationId join
Daytona is a secure and elastic infrastructure runtime for AI-generated code execution and agent workflows. Prior to 0.185.0, a cross-tenant authorization flaw in Daytona's notification WebSocket gateway allowed any authenticated user to subscribe to another organization's realtime notification...
GHSA-QWXF-2M7M-2M3X Daytona: Cross-tenant data leak in notification WebSocket gateway via unverified organizationId join
Summary A cross-tenant authorization flaw in Daytona's notification WebSocket gateway allowed any authenticated user to subscribe to another organization's realtime notification channel and passively receive that organization's events. Impact The notification gateway's JWT handshake joined a...
PT-2026-50595
Name of the Vulnerable Software and Affected Versions Daytona versions 0.101.0 through 0.184.0 Description A cross-tenant authorization flaw exists in the notification WebSocket gateway of the Daytona API service apps/api NestJS application. The JWT handshake joins a client-supplied organization...