GHSA-FJV8-J4P5-CR9M

Vulnerability from github – Published: 2026-06-18 17:19 – Updated: 2026-06-18 17:19
VLAI
Summary
Daytona: Path traversal in sandbox volume id mounts arbitrary host paths into the sandbox — cross-tenant data access and host escape
Details

Summary

A sandbox volume reference (volumeId, which may also be a volume name) was forwarded to the runner and used to build the host bind-mount source path without confinement. A reference containing path-traversal sequences could in principle resolve the mount source outside the intended per-volume base directory.

Impact

Had the traversal been reachable, an authenticated user could have caused the runner to bind-mount an unintended host path into their sandbox, with a worst-case impact of read and write access to other tenants' volume data (per-volume FUSE mounts are world-readable and writable).

Important: this path was not exploitable in any released version. A volume reference is validated against the database before it reaches the runner, and the volume id column is a UUID type, so a reference containing traversal sequences is rejected at validation time and the request fails before any mount is constructed. We could not reproduce cross-tenant access or an out-of-base host mount on a released build; the observable effect of the documented payload was a server-side validation error. Severity is assessed as Medium on that basis.

Patches

Fixed in v0.186.0. Volume references are now resolved to the canonical volume UUID server-side before reaching the runner, so a name can never flow downstream as a path component, and the runner confines the mount source to the volume base directory and rejects any non-UUID reference.

Workarounds

Upgrade to v0.186.0 or later. No configuration workaround is required for released versions, which were not exploitable.

Credit

Reported by @vnth4nhnt from CyStack.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.185.0"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/daytonaio/daytona"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.186.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-54319"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-22",
      "CWE-250",
      "CWE-269"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-18T17:19:51Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\nA sandbox volume reference (`volumeId`, which may also be a volume name) was forwarded to the\nrunner and used to build the host bind-mount source path without confinement. A reference\ncontaining path-traversal sequences could in principle resolve the mount source outside the\nintended per-volume base directory.\n\n## Impact\nHad the traversal been reachable, an authenticated user could have caused the runner to\nbind-mount an unintended host path into their sandbox, with a worst-case impact of read and\nwrite access to other tenants\u0027 volume data (per-volume FUSE mounts are world-readable and\nwritable).\n\nImportant: this path was not exploitable in any released version. A volume reference is\nvalidated against the database before it reaches the runner, and the volume id column is a\nUUID type, so a reference containing traversal sequences is rejected at validation time and\nthe request fails before any mount is constructed. We could not reproduce cross-tenant access\nor an out-of-base host mount on a released build; the observable effect of the documented\npayload was a server-side validation error. Severity is assessed as Medium on that basis.\n\n## Patches\nFixed in v0.186.0. Volume references are now resolved to the canonical volume UUID\nserver-side before reaching the runner, so a name can never flow downstream as a path\ncomponent, and the runner confines the mount source to the volume base directory and rejects\nany non-UUID reference.\n\n## Workarounds\nUpgrade to v0.186.0 or later. No configuration workaround is required for released versions,\nwhich were not exploitable.\n\n## Credit\nReported by @vnth4nhnt from CyStack.",
  "id": "GHSA-fjv8-j4p5-cr9m",
  "modified": "2026-06-18T17:19:51Z",
  "published": "2026-06-18T17:19:51Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/daytonaio/daytona/security/advisories/GHSA-fjv8-j4p5-cr9m"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/daytonaio/daytona"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Daytona: Path traversal in sandbox volume id mounts arbitrary host paths into the sandbox \u2014 cross-tenant data access and host escape"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…