CVE-2026-54324: Daytona: Cross-tenant data leak in notification WebSocket gateway via unverified organizationId join

June 17, 2026

A cross-tenant authorization flaw in Daytona’s notification WebSocket gateway allowed any authenticated user to subscribe to another organization’s realtime notification channel and passively receive that organization’s events.

References

github.com/advisories/GHSA-qwxf-2m7m-2m3x
github.com/daytonaio/daytona/security/advisories/GHSA-qwxf-2m7m-2m3x
nvd.nist.gov/vuln/detail/CVE-2026-54324

Code Behaviors & Features

Detect and mitigate CVE-2026-54324 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →