CVE-2026-24516
A command injection vulnerability exists in DigitalOcean Droplet Agent through 1.3.2. The troubleshooting actioner component (internal/troubleshooting/actioner/actioner.go) processes metadata from the metadata service endpoint and executes commands specified in the TroubleshootingAgent.Requesting array without adequate input validation. While the code validates that artifacts exist in the validInvestigationArtifacts map, it fails to sanitize the actual command content after the "command:" prefix. This allows an attacker who can control metadata responses to inject and execute arbitrary OS commands with root privileges. The attack is triggered by sending a TCP packet with specific sequence numbers to the SSH port, which causes the agent to fetch metadata from http://169.254.169.254/metadata/v1.json. The vulnerability affects the command execution flow in internal/troubleshooting/actioner/actioner.go (insufficient validation), internal/troubleshooting/command/exec.go (direct exec.CommandContext call), and internal/troubleshooting/command/command.go (command parsing without sanitization). This can lead to complete system compromise, data exfiltration, privilege escalation, and potential lateral movement across cloud infrastructure.
EPSS 0.13% · 32.1th percentile
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| github.com | digitalocean/droplet-agent | 0, 0 |
| n/a | n/a | *, n/a |
Exploit Intelligence
- Critical Pre-Auth Root RCE (CVSS 10.0) in DigitalOcean Droplet Agent up to v1.3.2 via Command Injection. (github-poc-repo)
- Critical Pre-Auth Root RCE (CVSS 10.0) in DigitalOcean Droplet Agent up to v1.3.2 via Command Injection. (github-poc-repo)
- Critical Pre-Auth Root RCE (CVSS 10.0) in DigitalOcean Droplet Agent up to v1.3.2 via Command Injection. (github-poc-repo)
- Critical Pre-Auth Root RCE (CVSS 10.0) in DigitalOcean Droplet Agent up to v1.3.2 via Command Injection. (github-poc-repo)
- Critical Pre-Auth Root RCE (CVSS 10.0) in DigitalOcean Droplet Agent up to v1.3.2 via Command Injection. (github-poc-repo)
- Critical Pre-Auth Root RCE (CVSS 10.0) in DigitalOcean Droplet Agent up to v1.3.2 via Command Injection. (github-poc-repo)
- Technical analysis and PoC for CVE-2026-24516: Unauthenticated Root Remote Code Execution in DigitalOcean Droplet Agent (CVSS 10.0). (github-poc-repo)
- Technical analysis and PoC for CVE-2026-24516: Unauthenticated Root Remote Code Execution in DigitalOcean Droplet Agent (CVSS 10.0). (github-poc-repo)
- Technical analysis and PoC for CVE-2026-24516: Unauthenticated Root Remote Code Execution in DigitalOcean Droplet Agent (CVSS 10.0). (github-poc-repo)
- Technical analysis and PoC for CVE-2026-24516: Unauthenticated Root Remote Code Execution in DigitalOcean Droplet Agent (CVSS 10.0). (github-poc-repo)
…and 18 more exploits
Timeline
- Mar 23, 2026 CVE Published
- Mar 24, 2026 EPSS Score
- Mar 25, 2026 CVE Updated
- Mar 25, 2026 EPSS Score
- Mar 25, 2026 Coalition ESS Score
- Mar 26, 2026 Security Advisory
- May 18, 2026 EPSS Score
- May 19, 2026 EPSS Score
- May 20, 2026 EPSS Score
- May 21, 2026 EPSS Score
- May 22, 2026 EPSS Score
- May 23, 2026 EPSS Score
References
- https://github.com/digitalocean/droplet-agent/blob/main/internal/troubleshooting/actioner/actioner.go url
- https://github.com/digitalocean/droplet-agent/blob/main/internal/troubleshooting/command/exec.go url
- https://github.com/digitalocean/droplet-agent/blob/main/internal/troubleshooting/command/command.go url
- https://github.com/poxsky/CVE-2026-24516-DigitalOcean-RCE url
- https://nvd.nist.gov/vuln/detail/CVE-2026-24516 advisory
- https://github.com/digitalocean/droplet-agent package