CVE-2026-54319: Daytona: Path traversal in sandbox volume id mounts arbitrary host paths into the sandbox — cross-tenant data access and host escape

June 18, 2026

A sandbox volume reference (volumeId, which may also be a volume name) was forwarded to the runner and used to build the host bind-mount source path without confinement. A reference containing path-traversal sequences could in principle resolve the mount source outside the intended per-volume base directory.

References

github.com/advisories/GHSA-fjv8-j4p5-cr9m
github.com/daytonaio/daytona/security/advisories/GHSA-fjv8-j4p5-cr9m
nvd.nist.gov/vuln/detail/CVE-2026-54319

Code Behaviors & Features

Detect and mitigate CVE-2026-54319 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →