2460989 – (CVE-2026-41176) CVE-2026-41176 github.com/rclone/rclone: Rclone: Unauthorized access to administrative functions through unauthenticated Remote Control endpoint.

Bug 2460989 (CVE-2026-41176) - CVE-2026-41176 github.com/rclone/rclone: Rclone: Unauthorized access to administrative functions through unauthenticated Remote Control endpoint.

Summary: CVE-2026-41176 github.com/rclone/rclone: Rclone: Unauthorized access to admin...

Keywords:
Status:	NEW
Alias:	CVE-2026-41176
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2464138 2464139 2464140 2464141 2464142 2464143 2464144 2461127 2461128
Blocks:
TreeView+	depends on / blocked

Reported:	2026-04-23 01:01 UTC by OSIDB Bzimport
Modified:	2026-04-30 14:57 UTC (History)
CC List:	15 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-04-23 01:01:34 UTC

Rclone is a command-line program to sync files and directories to and from different cloud storage providers. The RC endpoint `options/set` is exposed without `AuthRequired: true`, but it can mutate global runtime configuration, including the RC option block itself. Starting in version 1.45.0 and prior to version 1.73.5, an unauthenticated attacker can set `rc.NoAuth=true`, which disables the authorization gate for many RC methods registered with `AuthRequired: true` on reachable RC servers that are started without global HTTP authentication. This can lead to unauthorized access to sensitive administrative functionality, including configuration and operational RC methods. Version 1.73.5 patches the issue.

Note You need to log in before you can comment on or make changes to this bug.