VDB
CVE-2026-43617
CVE-2026-43617
PUBLISHED
CVSS 6.300000190734863 MEDIUM
Rsync version 3.4.2 and prior contain an authorization bypass vulnerability in the rsync daemon's hostname-based access control list enforcement when configured with chroot. Attackers can bypass hostname-based deny rules by controlling the PTR record for their source IP address, allowing connections from hostnames that administrators intended to deny when reverse DNS resolution fails and defaults to UNKNOWN.
EPSS 0.01% · 2.5th percentile
Risk Scores
CVSS v4.0
6.300000190734863
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
EPSS Score
0.01%
2.5th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| RsyncProject | rsync | 0 |
Timeline
- May 20, 2026 EPSS Score
- May 20, 2026 CVE Published
- May 20, 2026 PoC Published
- May 20, 2026 CVE Updated
- May 20, 2026 PoC Published
- May 20, 2026 Security Advisory
- May 21, 2026 EPSS Score
- May 22, 2026 EPSS Score
- May 23, 2026 EPSS Score
- May 24, 2026 EPSS Score
- May 25, 2026 EPSS Score
- May 26, 2026 EPSS Score
References
- https://github.com/RsyncProject/rsync/security/advisories/GHSA-rjfm-3w2m-jf4f vendor-advisory
- https://github.com/RsyncProject/rsync/releases/tag/v3.4.3 url
- https://www.vulncheck.com/advisories/rsync-authorization-bypass-via-hostname-resolution third-party-advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-43617 advisory