CVE-2026-41176
Received Received - Intake
Unauthorized Access via RC Endpoint Misconfiguration in Rclone

Publication date: 2026-04-23

Last updated on: 2026-04-27

Assigner: GitHub, Inc.

Description
Rclone is a command-line program to sync files and directories to and from different cloud storage providers. The RC endpoint `options/set` is exposed without `AuthRequired: true`, but it can mutate global runtime configuration, including the RC option block itself. Starting in version 1.45.0 and prior to version 1.73.5, an unauthenticated attacker can set `rc.NoAuth=true`, which disables the authorization gate for many RC methods registered with `AuthRequired: true` on reachable RC servers that are started without global HTTP authentication. This can lead to unauthorized access to sensitive administrative functionality, including configuration and operational RC methods. Version 1.73.5 patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-23
Last Modified
2026-04-27
Generated
2026-06-16
AI Q&A
2026-04-23
EPSS Evaluated
2026-06-15
NVD
CVE-2026-41176
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
rclone rclone From 1.45 (inc) to 1.73.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows unauthenticated remote attackers to bypass authentication on the rclone remote control (RC) interface, leading to unauthorized access to sensitive administrative functions.

Such unauthorized access can result in disclosure of sensitive configuration data, local file reading, filesystem enumeration, and arbitrary command execution.

Because of these impacts, the vulnerability could lead to violations of data protection and privacy regulations such as GDPR and HIPAA, which require strict controls on access to sensitive data and administrative functions.

Organizations using vulnerable versions of rclone without proper RC authentication may fail to meet compliance requirements related to access control, data confidentiality, and integrity.

Executive Summary

CVE-2026-41176 is a critical vulnerability in the rclone remote control (RC) API affecting versions from 1.45 up to 1.73.4. The issue arises because the RC endpoint `options/set` is exposed without requiring authentication, allowing unauthenticated attackers to change the global runtime configuration.

An attacker can exploit this by setting `rc.NoAuth=true` via the unauthenticated `options/set` endpoint. This disables the authorization checks for many RC methods that normally require authentication, effectively bypassing the authentication mechanism on RC servers started without global HTTP authentication.

This means that an attacker can gain unauthorized access to sensitive administrative functions, including configuration and operational methods, without needing any credentials.

Impact Analysis

This vulnerability allows unauthenticated remote attackers to disable authentication on the rclone RC server and access sensitive administrative functionality.

  • Unauthorized access to configuration methods such as listing remotes, dumping configuration, and getting configuration details.
  • Access to operational methods like listing operations, copying files, and executing core commands.
  • Potential for arbitrary command execution through methods like `operations/copyfile` which internally use system commands.

Overall, this can lead to local file reading, credential disclosure, filesystem enumeration, and remote command execution, severely compromising the security and integrity of the affected system.

Detection Guidance

This vulnerability can be detected by checking if the rclone remote control (RC) server is running without authentication and if the `rc.NoAuth` option has been set to true via the unauthenticated `options/set` endpoint.

A practical detection method is to attempt accessing protected RC methods before and after setting `rc.NoAuth=true` to see if authentication is bypassed.

Example commands to detect the vulnerability on a network-accessible rclone RC server (assuming default RC address 127.0.0.1:5572):

  • Check if protected methods require authentication (should return HTTP 403 if protected): curl -X POST http://127.0.0.1:5572/config/listremotes
  • Attempt to set `rc.NoAuth=true` without authentication: curl -X POST http://127.0.0.1:5572/options/set -H 'Content-Type: application/json' --data '{"rc":{"NoAuth":true}}'
  • Re-check protected methods to see if authentication is bypassed (should return HTTP 200 and valid JSON if vulnerable): curl -X POST http://127.0.0.1:5572/config/listremotes
Mitigation Strategies

To mitigate this vulnerability immediately, ensure that the rclone RC server is started with global HTTP authentication enabled.

Specifically, do not run the RC server without authentication options such as `--rc-user`, `--rc-pass`, or `--rc-htpasswd`.

Additionally, upgrade rclone to version 1.73.5 or later, where this vulnerability has been patched.

  • Start the rclone RC server with authentication enabled, for example: rclone rcd --rc-addr 127.0.0.1:5572 --rc-user yourusername --rc-pass yourpassword
  • Restrict network access to the RC server to trusted hosts only.
  • Upgrade rclone to version 1.73.5 or later.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41176. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart