CVE-2026-24516

Source
https://cve.org/CVERecord?id=CVE-2026-24516
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-24516.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-24516
Aliases
Downstream
Related
Published
2026-03-23T00:00:00Z
Modified
2026-07-08T08:04:56.355000552Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

A command injection vulnerability exists in DigitalOcean Droplet Agent through 1.3.2. The troubleshooting actioner component (internal/troubleshooting/actioner/actioner.go) processes metadata from the metadata service endpoint and executes commands specified in the TroubleshootingAgent.Requesting array without adequate input validation. While the code validates that artifacts exist in the validInvestigationArtifacts map, it fails to sanitize the actual command content after the "command:" prefix. This allows an attacker who can control metadata responses to inject and execute arbitrary OS commands with root privileges. The attack is triggered by sending a TCP packet with specific sequence numbers to the SSH port, which causes the agent to fetch metadata from http://169.254.169.254/metadata/v1.json. The vulnerability affects the command execution flow in internal/troubleshooting/actioner/actioner.go (insufficient validation), internal/troubleshooting/command/exec.go (direct exec.CommandContext call), and internal/troubleshooting/command/command.go (command parsing without sanitization). This can lead to complete system compromise, data exfiltration, privilege escalation, and potential lateral movement across cloud infrastructure.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/24xxx/CVE-2026-24516.json",
    "cna_assigner": "mitre"
}
References

Affected packages

Git / github.com/digitalocean/droplet-agent

Affected ranges

Type
GIT
Repo
https://github.com/digitalocean/droplet-agent
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": "DESCRIPTION",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.3.2"
        }
    ]
}

Affected versions

0.*
0.2.8
1.*
1.2.11
1.2.12
1.2.13
1.3.0
1.3.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-24516.json"