CVE-2026-54321: Daytona: Public sandbox previews remain accessible for up to one hour after being made private

June 16, 2026

Sandbox previews that were switched from public to private could remain reachable without authentication for a short period after the change, due to a cached visibility state that was not invalidated when the sandbox’s visibility changed.

References

github.com/advisories/GHSA-ww63-pv5x-vfc8
github.com/daytonaio/daytona/security/advisories/GHSA-ww63-pv5x-vfc8
nvd.nist.gov/vuln/detail/CVE-2026-54321

Code Behaviors & Features

Detect and mitigate CVE-2026-54321 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →