CVE-2026-41179
Unauthenticated Remote Code Execution in Rclone RC Endpoint
Publication date: 2026-04-23
Last updated on: 2026-04-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rclone | rclone | From 1.48.0 (inc) to 1.73.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-41179 is a critical vulnerability in the rclone software's remote control (RC) API, specifically the `operations/fsinfo` endpoint. This endpoint is exposed without requiring authentication and accepts attacker-controlled filesystem input. Because the RC API supports inline backend definitions, an unauthenticated attacker can instantiate arbitrary backends on demand.
The vulnerability arises from the WebDAV backend's handling of the `bearer_token_command` option. During backend initialization, if this option is set, rclone executes the specified command locally. An attacker can exploit this by sending a specially crafted request to the vulnerable endpoint, causing rclone to execute arbitrary local commands without authentication.
This issue affects rclone versions from 1.48.0 up to and including 1.73.4 and was patched in version 1.73.5.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthenticated remote code execution on rclone deployments with the RC API exposed without authentication. Such a critical security flaw can lead to unauthorized access, data manipulation, or system compromise.
From a compliance perspective, this vulnerability undermines the confidentiality, integrity, and availability of data managed by rclone, which are core principles in standards like GDPR and HIPAA.
Specifically, unauthorized command execution could lead to unauthorized data access or modification, violating data protection requirements and potentially resulting in breaches of personal or sensitive health information.
Therefore, if exploited, this vulnerability could cause non-compliance with regulations that mandate strong access controls, authentication, and protection against unauthorized system access.
How can this vulnerability impact me? :
This vulnerability allows an unauthenticated attacker to execute arbitrary local commands on the host running the rclone RC server. Because the RC API may be reachable over the network if improperly configured, an attacker can perform remote code execution with no privileges and no user interaction.
The impact includes potential local file read/write operations, shell access, and further system compromise. The attack can be performed with a single HTTP request, making it highly exploitable.
The severity is rated critical with a CVSS v4 base score of 9.2, reflecting the high impact on confidentiality, integrity, and availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability can be detected by attempting to exploit the unauthenticated remote control (RC) API endpoint `operations/fsinfo` on the rclone service. Specifically, sending a crafted HTTP POST request to the `/operations/fsinfo` endpoint with a payload that includes a WebDAV backend definition and a `bearer_token_command` that executes a local command can confirm the vulnerability.
An example command to test for this vulnerability is using curl to send such a request to the vulnerable RC server:
- curl -sS -X POST http://127.0.0.1:5572/operations/fsinfo --data-urlencode "fs=:webdav,url='http://127.0.0.1/',vendor=other,bearer_token_command='/usr/bin/touch /tmp/rclone_fsinfo_rce_poc_marker':"
If the file `/tmp/rclone_fsinfo_rce_poc_marker` is created on the host, it confirms that the vulnerability is present and exploitable.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading rclone to version 1.73.5 or later, where this vulnerability has been patched.
Additionally, ensure that the rclone RC API is not exposed without authentication. This means:
- Do not run the RC API without global HTTP authentication enabled (use `--rc-user`, `--rc-pass`, or `--rc-htpasswd`).
- Restrict network access to the RC API endpoint, ideally binding it to localhost only (default) or using firewall rules to prevent unauthorized access.
- If the RC API is not required, disable it by not using the `--rc` flag or not running `rclone rcd`.