CVE-2026-41179

CVE-2026-41176 is an authentication bypass vulnerability on the RC (Remote Control) administrative interface of Rclone versions prior to version 1.73.5. An unauthenticated attacker with network access to an Rclone RC server can bypass authentication controls and gain unauthorised access to sensitive administrative functionality, including configuration and operational RC methods. This could allow attackers to manipulate configuration, access operational RC methods, read sensitive data, and potentially compromise the integrity and confidentiality of stored cloud data and configurations. Depending on the enabled RC surface and runtime configuration, this can lead to local file read, credential/config disclosure, filesystem enumeration, and command execution. CVE-2026-41179 is a single-request unauthenticated command-execution vulnerability on reachable RC deployments without global HTTP authentication. It affects Rclone versions prior to version 1.73.5. An unauthenticated attacker with network access to an RC deployment can execute arbitrary local commands on the affected system without requiring any authentication or elevated privileges. This is accomplished through a single request by leveraging the WebDAV backend initialization process. A successful attacker can obtain local file read, file write, or shell access, depending on the deployed environment. This could potentially lead to full system compromise, data theft, lateral movement, or denial of service. Note for the following preconditions must be met for the exploitation of CVE-2026-41176 and CVE-2026-41179 to be successful: The rclone remote control API must be enabled, either by the --rc flag or by running the rclone rcd server. The remote control API must be reachable by the attacker - by default rclone only serves the rc to localhost unless the --rc-addr flag is in use. The rc must have been deployed without global RC HTTP authentication - so not using --rc-user/--rc-pass/--rc-htpasswd/etc.

EPSS 5.15% · 90.0th percentile