CVE-2026-54320: email bypass grants unauthorized org

CISO Take

Daytona, an infrastructure runtime purpose-built for AI-generated code execution and agent workflows, contains an authentication bypass that allows a low-privileged attacker to accept organization invitations using an unverified email address. The vulnerability exists because the invitation accept and decline API endpoints check that the OIDC token email matches the invitation target but never require that email to be verified — a gap that already-fixed org creation did not share. An adversary who knows a pending invitation's target email can register that address on a self-service OIDC provider, skip verification, and immediately call the accept endpoint to join the organization with whatever role the invitation carried, up to Owner. Owner access to a Daytona organization is a serious AI-pipeline risk: it controls who can deploy and execute AI-generated code, modify agent workspace configurations, and manage the sandboxed runtimes that downstream AI agents rely on. No public exploits or CISA KEV listing exist and High attack complexity (the attacker must identify a pending invitation email) tempers immediate urgency, but the Changed scope with dual High ratings on Confidentiality and Integrity warrants patching before the next maintenance window. Upgrade to Daytona 0.184.0 immediately, audit organization membership for accounts with anomalous join timestamps, revoke all outstanding invitations and re-issue them post-patch, and harden your OIDC provider to block sessions until email verification completes.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

CVSS 8.4 High with Changed scope indicates blast radius extending beyond the vulnerable invitation endpoint into the broader Daytona organization and its AI execution infrastructure. The primary mitigating factor is High attack complexity — the adversary must know a pending invitation's target email address before it expires. In enterprise environments with predictable naming conventions (firstname.lastname@company.com), this barrier is meaningfully lower than the CVSS rating implies. No active exploitation evidence, no public proof-of-concept, and no CISA KEV listing are positive signals, but the vulnerability is straightforward conceptually: once the attack precondition (known invitation email) is met, exploitation requires only account creation and a single API call. Organizations running Daytona in multi-tenant or production AI agent pipelines should treat this as a high-priority patch.

How does the attack unfold?

Reconnaissance

Adversary identifies a pending Daytona organization invitation and its target email address through social engineering, exposed email headers, or insider access.

AML.T0087

Account Establishment

Adversary registers a new account on a self-service OIDC provider using the target invitation email, deliberately skipping the verification step to preserve the unverified email state.

AML.T0021

Auth Bypass Exploitation

Adversary calls the Daytona invitation accept endpoint with the unverified session token; the endpoint validates email match but omits verification status check, granting organization membership at the invited role level.

AML.T0049

AI Infrastructure Takeover

With Owner-level access, adversary modifies Daytona workspace configurations and agent execution environments to inject malicious code, exfiltrate credentials, or pivot through AI agent pipelines.

AML.T0081

Reconnaissance

Adversary identifies a pending Daytona organization invitation and its target email address through social engineering, exposed email headers, or insider access.

AML.T0087

Account Establishment

Adversary registers a new account on a self-service OIDC provider using the target invitation email, deliberately skipping the verification step to preserve the unverified email state.

AML.T0021

Auth Bypass Exploitation

Adversary calls the Daytona invitation accept endpoint with the unverified session token; the endpoint validates email match but omits verification status check, granting organization membership at the invited role level.

AML.T0049

AI Infrastructure Takeover

With Owner-level access, adversary modifies Daytona workspace configurations and agent execution environments to inject malicious code, exfiltrate credentials, or pivot through AI agent pipelines.

AML.T0081

How severe is it?

CVSS 3.1

8.4 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

What is the attack surface?

AV Network

AC High

PR Low

UI None

S Changed

C High

I High

A Low

What should I do?

6 steps

Patch immediately: upgrade Daytona to version 0.184.0, which enforces email verification on both the invitation accept and decline code paths.
Audit existing organization membership: review all accounts for unexpected members, focusing on those who joined recently without corresponding verified-email events in your OIDC provider's audit logs.
Revoke all outstanding invitations: re-issue invitations after deploying the patch to ensure acceptance flows through the fixed verification check.
Harden your OIDC provider: configure it to block session issuance until email verification is complete, removing the precondition for this attack even if a similar bypass were introduced elsewhere.
Enable audit logging on Daytona organization membership changes and alert on Owner-role assignments.
If unauthorized Owner accounts are discovered, rotate all API keys, workspace credentials, and agent tool tokens associated with that organization before removing the account.

How is it classified?

Auth Bypass Code Execution Agent Framework AML.T0012 - Valid Accounts AML.T0021 - Establish Accounts AML.T0049 - Exploit Public-Facing Application AML.T0081 - Modify AI Agent Configuration

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

A.6.2 - AI system roles and responsibilities

NIST AI RMF

GOVERN 1.2 - Accountability structures for AI risk

OWASP LLM Top 10

LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-54320?

Daytona, an infrastructure runtime purpose-built for AI-generated code execution and agent workflows, contains an authentication bypass that allows a low-privileged attacker to accept organization invitations using an unverified email address. The vulnerability exists because the invitation accept and decline API endpoints check that the OIDC token email matches the invitation target but never require that email to be verified — a gap that already-fixed org creation did not share. An adversary who knows a pending invitation's target email can register that address on a self-service OIDC provider, skip verification, and immediately call the accept endpoint to join the organization with whatever role the invitation carried, up to Owner. Owner access to a Daytona organization is a serious AI-pipeline risk: it controls who can deploy and execute AI-generated code, modify agent workspace configurations, and manage the sandboxed runtimes that downstream AI agents rely on. No public exploits or CISA KEV listing exist and High attack complexity (the attacker must identify a pending invitation email) tempers immediate urgency, but the Changed scope with dual High ratings on Confidentiality and Integrity warrants patching before the next maintenance window. Upgrade to Daytona 0.184.0 immediately, audit organization membership for accounts with anomalous join timestamps, revoke all outstanding invitations and re-issue them post-patch, and harden your OIDC provider to block sessions until email verification completes.

Is CVE-2026-54320 actively exploited?

No confirmed active exploitation of CVE-2026-54320 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-54320?

1. Patch immediately: upgrade Daytona to version 0.184.0, which enforces email verification on both the invitation accept and decline code paths. 2. Audit existing organization membership: review all accounts for unexpected members, focusing on those who joined recently without corresponding verified-email events in your OIDC provider's audit logs. 3. Revoke all outstanding invitations: re-issue invitations after deploying the patch to ensure acceptance flows through the fixed verification check. 4. Harden your OIDC provider: configure it to block session issuance until email verification is complete, removing the precondition for this attack even if a similar bypass were introduced elsewhere. 5. Enable audit logging on Daytona organization membership changes and alert on Owner-role assignments. 6. If unauthorized Owner accounts are discovered, rotate all API keys, workspace credentials, and agent tool tokens associated with that organization before removing the account.

What systems are affected by CVE-2026-54320?

This vulnerability affects the following AI/ML architecture patterns: AI agent execution environments, Code execution sandboxes for AI-generated code, CI/CD pipelines for AI agent workflows, Multi-tenant AI infrastructure platforms, Agent frameworks with cloud orchestration backends.

What is the CVSS score for CVE-2026-54320?

CVE-2026-54320 has a CVSS v3.1 base score of 8.4 (HIGH).

What is the AI security impact?

Affected AI Architectures

AI agent execution environmentsCode execution sandboxes for AI-generated codeCI/CD pipelines for AI agent workflowsMulti-tenant AI infrastructure platformsAgent frameworks with cloud orchestration backends

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0021 Establish Accounts

AML.T0049 Exploit Public-Facing Application

AML.T0081 Modify AI Agent Configuration

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: A.6.2

NIST AI RMF: GOVERN 1.2

OWASP LLM Top 10: LLM08

What are the technical details?

Original Advisory

Daytona is a secure and elastic infrastructure runtime for AI-generated code execution and agent workflows. Prior to 0.184.0, organization invitations could be accepted (and declined) by a user whose email matched the invitation but had not been verified. Daytona authenticates users via OIDC and matches an invitation's target email against the email in the caller's token, but the invitation accept and decline paths did not require that email to be verified, unlike organization creation, which already enforced verification. On identity providers that allow self-service signup and issue a session before the email is verified, an actor could register an address matching a pending invitation, leave it unverified, and accept the invitation, joining the target organization with the role the invitation carried (up to Owner). This vulnerability is fixed in 0.184.0.

Exploitation Scenario

An attacker targeting an engineering team that runs AI agent pipelines on Daytona learns through LinkedIn or a phishing email that a contractor has a pending Daytona organization invitation sent to contractor@targetcorp.com. The attacker registers a GitHub account (a common Daytona OIDC provider) using contractor@targetcorp.com, starts the verification flow but never clicks the confirmation link, and obtains a valid session token with the unverified email claim. The attacker then calls the Daytona POST /invitations/{id}/accept endpoint using that token. Daytona's invitation handler verifies the token email matches the invitation target — it does — but never checks the verification status flag, so the invitation is accepted and the attacker joins the organization as Owner. From there, the adversary modifies Daytona workspace configurations to embed a reverse shell in the AI agent execution environment, enabling code injection that propagates through downstream AI-generated pipeline outputs, or harvests credentials stored in agent tool configuration files.

Weaknesses (CWE)

CWE-287 Improper Authentication Primary CWE-863 Incorrect Authorization Primary

CWE-287 — Improper Authentication: When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.