CVE-2026-41179

Name

CVE-2026-41179

Description

Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Starting in version 1.48.0 and prior to version 1.73.5, the RC endpoint `operations/fsinfo` is exposed without `AuthRequired: true` and accepts attacker-controlled `fs` input. Because `rc.GetFs(...)` supports inline backend definitions, an unauthenticated attacker can instantiate an attacker-controlled backend on demand. For the WebDAV backend, `bearer_token_command` is executed during backend initialization, making single-request unauthenticated local command execution possible on reachable RC deployments without global HTTP authentication. Version 1.73.5 patches the issue.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

References

Type	URI
security-advisories@github.com	https://github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/backend/webdav/webdav.go
security-advisories@github.com	https://github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/fs/operations/rc.go
security-advisories@github.com	https://github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/fs/rc/cache.go
security-advisories@github.com	https://github.com/rclone/rclone/security/advisories/GHSA-jfwf-28xr-xw6q
security-advisories@github.com	https://github.com/rclone/rclone/commit/2a9e952b38e03a96bf40c9eb6e8e22199865ee3b
security-advisories@github.com	https://github.com/rclone/rclone/releases/tag/v1.73.5
security-advisories@github.com	https://rclone.org/changelog/#v1-73-5-2026-04-19

Match rules

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:rclone:rclone::::::::`	rclone	>= 1.48.0	< 1.73.5

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
rclone	edge-community	1.73.5-r0	Mike Crute <mike@crute.us>	fixed
rclone	edge-community	1.72.1-r3	Mike Crute <mike@crute.us>	possibly vulnerable
rclone	edge-community	1.72.1-r2	Mike Crute <mike@crute.us>	possibly vulnerable
rclone	edge-community	1.72.1-r1	Mike Crute <mike@crute.us>	possibly vulnerable
rclone	edge-community	1.72.1-r0	Mike Crute <mike@crute.us>	possibly vulnerable
rclone	edge-community	1.71.0-r4	Mike Crute <mike@crute.us>	possibly vulnerable
rclone	edge-community	1.71.0-r3	Mike Crute <mike@crute.us>	possibly vulnerable
rclone	edge-community	1.71.0-r2	Mike Crute <mike@crute.us>	possibly vulnerable
rclone	edge-community	1.71.0-r1	Mike Crute <mike@crute.us>	possibly vulnerable
rclone	edge-community	1.71.0-r0	Mike Crute <mike@crute.us>	possibly vulnerable
rclone	edge-community	1.70.3-r1	Mike Crute <mike@crute.us>	possibly vulnerable
rclone	edge-community	1.70.3-r0	Mike Crute <mike@crute.us>	possibly vulnerable
rclone	edge-community	1.70.1-r1	Mike Crute <mike@crute.us>	possibly vulnerable
rclone	edge-community	1.70.1-r0	Mike Crute <mike@crute.us>	possibly vulnerable
rclone	edge-community	1.70.0-r0	Mike Crute <mike@crute.us>	possibly vulnerable
rclone	edge-community	1.69.3-r0	Mike Crute <mike@crute.us>	possibly vulnerable
rclone	edge-community	1.69.2-r0	Mike Crute <mike@crute.us>	possibly vulnerable
rclone	edge-community	1.69.1-r1	Mike Crute <mike@crute.us>	possibly vulnerable
rclone	edge-community	1.69.1-r0	Mike Crute <mike@crute.us>	possibly vulnerable
rclone	edge-community	1.69.0-r3	Mike Crute <mike@crute.us>	possibly vulnerable
rclone	edge-community	1.69.0-r2	Mike Crute <mike@crute.us>	possibly vulnerable
rclone	edge-community	1.69.0-r1	Mike Crute <mike@crute.us>	possibly vulnerable
rclone	edge-community	1.69.0-r0	Mike Crute <mike@crute.us>	possibly vulnerable
rclone	edge-community	1.68.2-r0	Mike Crute <mike@crute.us>	possibly vulnerable
rclone	edge-community	1.67.0-r0	Mike Crute <mike@crute.us>	possibly vulnerable
rclone	3.23-community	1.72.1-r4	Mike Crute <mike@crute.us>	possibly vulnerable
rclone	3.23-community	1.72.1-r3	Mike Crute <mike@crute.us>	possibly vulnerable
rclone	3.23-community	1.72.1-r2	Mike Crute <mike@crute.us>	possibly vulnerable
rclone	3.23-community	1.72.1-r1	Mike Crute <mike@crute.us>	possibly vulnerable
rclone	3.23-community	1.72.1-r0	Mike Crute <mike@crute.us>	possibly vulnerable
rclone	3.23-community	1.71.0-r4	Mike Crute <mike@crute.us>	possibly vulnerable
rclone	3.23-community	1.71.0-r3	Mike Crute <mike@crute.us>	possibly vulnerable