GHSA-FJV8-J4P5-CR9M
Vulnerability from github – Published: 2026-06-18 17:19 – Updated: 2026-06-18 17:19Summary
A sandbox volume reference (volumeId, which may also be a volume name) was forwarded to the
runner and used to build the host bind-mount source path without confinement. A reference
containing path-traversal sequences could in principle resolve the mount source outside the
intended per-volume base directory.
Impact
Had the traversal been reachable, an authenticated user could have caused the runner to bind-mount an unintended host path into their sandbox, with a worst-case impact of read and write access to other tenants' volume data (per-volume FUSE mounts are world-readable and writable).
Important: this path was not exploitable in any released version. A volume reference is validated against the database before it reaches the runner, and the volume id column is a UUID type, so a reference containing traversal sequences is rejected at validation time and the request fails before any mount is constructed. We could not reproduce cross-tenant access or an out-of-base host mount on a released build; the observable effect of the documented payload was a server-side validation error. Severity is assessed as Medium on that basis.
Patches
Fixed in v0.186.0. Volume references are now resolved to the canonical volume UUID server-side before reaching the runner, so a name can never flow downstream as a path component, and the runner confines the mount source to the volume base directory and rejects any non-UUID reference.
Workarounds
Upgrade to v0.186.0 or later. No configuration workaround is required for released versions, which were not exploitable.
Credit
Reported by @vnth4nhnt from CyStack.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.185.0"
},
"package": {
"ecosystem": "Go",
"name": "github.com/daytonaio/daytona"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.186.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-54319"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-22",
"CWE-250",
"CWE-269"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-18T17:19:51Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Summary\nA sandbox volume reference (`volumeId`, which may also be a volume name) was forwarded to the\nrunner and used to build the host bind-mount source path without confinement. A reference\ncontaining path-traversal sequences could in principle resolve the mount source outside the\nintended per-volume base directory.\n\n## Impact\nHad the traversal been reachable, an authenticated user could have caused the runner to\nbind-mount an unintended host path into their sandbox, with a worst-case impact of read and\nwrite access to other tenants\u0027 volume data (per-volume FUSE mounts are world-readable and\nwritable).\n\nImportant: this path was not exploitable in any released version. A volume reference is\nvalidated against the database before it reaches the runner, and the volume id column is a\nUUID type, so a reference containing traversal sequences is rejected at validation time and\nthe request fails before any mount is constructed. We could not reproduce cross-tenant access\nor an out-of-base host mount on a released build; the observable effect of the documented\npayload was a server-side validation error. Severity is assessed as Medium on that basis.\n\n## Patches\nFixed in v0.186.0. Volume references are now resolved to the canonical volume UUID\nserver-side before reaching the runner, so a name can never flow downstream as a path\ncomponent, and the runner confines the mount source to the volume base directory and rejects\nany non-UUID reference.\n\n## Workarounds\nUpgrade to v0.186.0 or later. No configuration workaround is required for released versions,\nwhich were not exploitable.\n\n## Credit\nReported by @vnth4nhnt from CyStack.",
"id": "GHSA-fjv8-j4p5-cr9m",
"modified": "2026-06-18T17:19:51Z",
"published": "2026-06-18T17:19:51Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/daytonaio/daytona/security/advisories/GHSA-fjv8-j4p5-cr9m"
},
{
"type": "PACKAGE",
"url": "https://github.com/daytonaio/daytona"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Daytona: Path traversal in sandbox volume id mounts arbitrary host paths into the sandbox \u2014 cross-tenant data access and host escape"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.