2460988 – (CVE-2026-41179) CVE-2026-41179 github.com/rclone/rclone: Rclone: Unauthenticated local command execution via exposed RC endpoint

Bug 2460988 (CVE-2026-41179) - CVE-2026-41179 github.com/rclone/rclone: Rclone: Unauthenticated local command execution via exposed RC endpoint

Summary: CVE-2026-41179 github.com/rclone/rclone: Rclone: Unauthenticated local comman...

Keywords:
Status:	NEW
Alias:	CVE-2026-41179
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2461221
Blocks:
TreeView+	depends on / blocked

Reported:	2026-04-23 01:01 UTC by OSIDB Bzimport
Modified:	2026-04-23 19:02 UTC (History)
CC List:	15 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-04-23 01:01:30 UTC

Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Starting in version 1.48.0 and prior to version 1.73.5, the RC endpoint `operations/fsinfo` is exposed without `AuthRequired: true` and accepts attacker-controlled `fs` input. Because `rc.GetFs(...)` supports inline backend definitions, an unauthenticated attacker can instantiate an attacker-controlled backend on demand. For the WebDAV backend, `bearer_token_command` is executed during backend initialization, making single-request unauthenticated local command execution possible on reachable RC deployments without global HTTP authentication. Version 1.73.5 patches the issue.

Note You need to log in before you can comment on or make changes to this bug.