CVE-2026-24516 - Vulnerability Analysis
HighCVSS: 8.8Last Updated: March 24, 2026
DigitalOcean Droplet Agent - Command Injection
Published: March 23, 2026Updated: March 24, 2026PoC AvailableRemote Exploitable
Overview
DigitalOcean Droplet Agent <= 1.3.2 contains a command injection caused by insufficient validation of commands in the TroubleshootingAgent.Requesting array, letting attackers controlling metadata responses execute arbitrary OS commands with root privileges, exploit requires sending crafted TCP packets to SSH port.
Severity & Score
Severity: High
CVSS Score: 8.8
Impact
Attackers can execute arbitrary OS commands as root, leading to full system compromise and data exfiltration.
Mitigation
Update to a version later than 1.3.2 or the latest available version.
References
- https://github.com/digitalocean/droplet-agent/blob/main/internal/troubleshooting/actioner/actioner.go
- https://github.com/digitalocean/droplet-agent/blob/main/internal/troubleshooting/command/command.go
- https://github.com/digitalocean/droplet-agent/blob/main/internal/troubleshooting/command/exec.go
- https://github.com/poxsky/CVE-2026-24516-DigitalOcean-RCE
Related Resources
Details
- CVE ID
- CVE-2026-24516
- Severity
- High
- CVSS Score
- 8.8
- Type
- command_injection
- Status
- unconfirmed
CWE
- CWE-94
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H