CVE-2026-24516 - Vulnerability Analysis
N/aLast Updated: March 23, 2026
DigitalOcean Droplet Agent - Command Injection
Published: March 23, 2026Updated: March 23, 2026PoC Available
Overview
DigitalOcean Droplet Agent <= 1.3.2 contains a command injection caused by insufficient validation of commands in the TroubleshootingAgent.Requesting array, letting attackers controlling metadata responses execute arbitrary OS commands with root privileges, exploit requires sending crafted TCP packets to SSH port.
Severity & Score
Severity: N/a
Impact
Attackers can execute arbitrary OS commands as root, leading to full system compromise and data exfiltration.
Mitigation
Update to a version later than 1.3.2 or the latest available version.
References
- https://github.com/poxsky/CVE-2026-24516-DigitalOcean-RCE
- https://github.com/digitalocean/droplet-agent/blob/main/internal/troubleshooting/actioner/actioner.go
- https://github.com/digitalocean/droplet-agent/blob/main/internal/troubleshooting/command/command.go
- https://github.com/digitalocean/droplet-agent/blob/main/internal/troubleshooting/command/exec.go
Related Resources
Details
- CVE ID
- CVE-2026-24516
- Severity
- N/a
- Type
- command_injection
- Status
- new
CVSS Metrics
N/A