{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-30T17:53:54.130","vulnerabilities":[{"cve":{"id":"CVE-2026-24516","sourceIdentifier":"cve@mitre.org","published":"2026-03-23T17:16:37.863","lastModified":"2026-03-24T15:54:09.400","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"A command injection vulnerability exists in DigitalOcean Droplet Agent through 1.3.2. The troubleshooting actioner component (internal/troubleshooting/actioner/actioner.go) processes metadata from the metadata service endpoint and executes commands specified in the TroubleshootingAgent.Requesting array without adequate input validation. While the code validates that artifacts exist in the validInvestigationArtifacts map, it fails to sanitize the actual command content after the \"command:\" prefix. This allows an attacker who can control metadata responses to inject and execute arbitrary OS commands with root privileges. The attack is triggered by sending a TCP packet with specific sequence numbers to the SSH port, which causes the agent to fetch metadata from http://169.254.169.254/metadata/v1.json. The vulnerability affects the command execution flow in internal/troubleshooting/actioner/actioner.go (insufficient validation), internal/troubleshooting/command/exec.go (direct exec.CommandContext call), and internal/troubleshooting/command/command.go (command parsing without sanitization). This can lead to complete system compromise, data exfiltration, privilege escalation, and potential lateral movement across cloud infrastructure."},{"lang":"es","value":"Una vulnerabilidad de inyección de comandos existe en DigitalOcean Droplet Agent hasta la versión 1.3.2. El componente de acción de resolución de problemas (internal/troubleshooting/actioner/actioner.go) procesa metadatos del endpoint del servicio de metadatos y ejecuta comandos especificados en el array TroubleshootingAgent.Requesting sin una validación de entrada adecuada. Si bien el código valida que los artefactos existen en el mapa validInvestigationArtifacts, no logra sanear el contenido real del comando después del prefijo 'command:'. Esto permite a un atacante que puede controlar las respuestas de metadatos inyectar y ejecutar comandos arbitrarios del sistema operativo con privilegios de root. El ataque se desencadena enviando un paquete TCP con números de secuencia específicos al puerto SSH, lo que hace que el agente obtenga metadatos de http://169.254.169.254/metadata/v1.json. La vulnerabilidad afecta el flujo de ejecución de comandos en internal/troubleshooting/actioner/actioner.go (validación insuficiente), internal/troubleshooting/command/exec.go (llamada directa a exec.CommandContext) y internal/troubleshooting/command/command.go (análisis de comandos sin sanitización). Esto puede llevar a un compromiso completo del sistema, exfiltración de datos, escalada de privilegios y potencial movimiento lateral a través de la infraestructura en la nube."}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}]},"weaknesses":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-94"}]}],"references":[{"url":"https://github.com/digitalocean/droplet-agent/blob/main/internal/troubleshooting/actioner/actioner.go","source":"cve@mitre.org"},{"url":"https://github.com/digitalocean/droplet-agent/blob/main/internal/troubleshooting/command/command.go","source":"cve@mitre.org"},{"url":"https://github.com/digitalocean/droplet-agent/blob/main/internal/troubleshooting/command/exec.go","source":"cve@mitre.org"},{"url":"https://github.com/poxsky/CVE-2026-24516-DigitalOcean-RCE","source":"cve@mitre.org"}]}}]}