CVE-2026-41179

EUVD-2026-25144
Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Starting in version 1.48.0 and prior to version 1.73.5, the RC endpoint `operations/fsinfo` is exposed without `AuthRequired: true` and accepts attacker-controlled `fs` input. Because `rc.GetFs(...)` supports inline backend definitions, an unauthenticated attacker can instantiate an attacker-controlled backend on demand. For the WebDAV backend, `bearer_token_command` is executed during backend initialization, making single-request unauthenticated local command execution possible on reachable RC deployments without global HTTP authentication. Version 1.73.5 patches the issue.
OS Command Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 91%
Affected Products (NVD)
VendorProductVersion
rclonerclone
1.48.0 ≤
𝑥
< 1.73.5
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
rclone
bookworm
vulnerable
bullseye
vulnerable
forky
vulnerable
sid
vulnerable
trixie
vulnerable
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
rclone
bionic
not-affected
focal
not-affected
jammy
not-affected
noble
Fixed 1.60.1+dfsg-3ubuntu0.24.04.5
released
questing
Fixed 1.60.1+dfsg-4ubuntu2.1
released
resolute
Fixed 1.60.1+dfsg-4ubuntu3.1
released
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
rclone
Amazon Linux 2
0:1.55.1-1.amzn2.0.5
fixed
Amazon Linux 2023
0:1.73.5-75.amzn2023
fixed
rclone-debuginfo
Amazon Linux 2
0:1.55.1-1.amzn2.0.5
fixed
Amazon Linux 2023
0:1.73.5-75.amzn2023
fixed
rclone-debugsource
Amazon Linux 2023
0:1.73.5-75.amzn2023
fixed
Common Weakness Enumeration
References
https://github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/backend/webdav/webdav.go
https://github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/fs/operations/rc.go
https://github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/fs/rc/cache.go
https://github.com/rclone/rclone/commit/2a9e952b38e03a96bf40c9eb6e8e22199865ee3b
https://github.com/rclone/rclone/releases/tag/v1.73.5
https://github.com/rclone/rclone/security/advisories/GHSA-jfwf-28xr-xw6q
https://rclone.org/changelog/#v1-73-5-2026-04-19
https://github.com/rclone/rclone/security/advisories/GHSA-jfwf-28xr-xw6q