CVE-2026-49980
Received Received - Intake
Remote Command Execution in Rclone

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: GitHub, Inc.

Description
Rclone is a command-line program to sync files and directories to and from different cloud storage providers. From 1.46.0 until 1.74.3, rclone rcd --rc-serve accepts unauthenticated GET and HEAD requests to paths of the form: /[remote:path]/object. The remote value is parsed from the URL and passed to normal backend initialization. Inline remote configuration can set backend options that execute local commands during initialization. As a result, a single unauthenticated GET or HEAD request can execute a command as the rclone process user. This vulnerability is fixed in 1.74.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-49980
EUVD
EUVD-2026-39018
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
-rclone rclone From 1.46.0 (inc) to 1.74.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows unauthenticated remote command execution, which can lead to unauthorized access, data modification, and disruption of services. Such impacts can compromise the confidentiality, integrity, and availability of sensitive data.

This can affect compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and ensure system integrity and availability.

Failure to mitigate this vulnerability could result in violations of these regulations due to potential data breaches or service disruptions.

Detection Guidance

This vulnerability can be detected by checking if the rclone remote control API (RC) is enabled without authentication and accessible on your system or network. Specifically, you should verify if the rclone process is running with the `rcd` command and the `--rc-serve` flag, and whether the RC listener is exposed without authentication (no `--rc-user`, `--rc-pass`, or `--rc-htpasswd` options).

To detect this, you can perform the following steps:

  • Check running rclone processes for the `rcd` and `--rc-serve` flags, for example using: `ps aux | grep rclone`
  • Check if the RC HTTP listener port is open and accessible, for example using: `netstat -tuln | grep <rc-port>` or `ss -tuln | grep <rc-port>` (replace `<rc-port>` with the configured port, default is localhost only)
  • Attempt unauthenticated GET or HEAD requests to paths like `http://<rc-addr>/<remote:path>/object` using curl or similar tools, for example: `curl -I http://localhost:5572/<remote:path>/object`

If the RC API responds to unauthenticated requests, the system is vulnerable unless upgraded or protected by authentication.

Mitigation Strategies

To mitigate this vulnerability, upgrade rclone to version 1.74.3 or later, where the issue is fixed.

Executive Summary

This vulnerability exists in rclone versions from 1.46.0 until 1.74.3 when using the rclone rcd --rc-serve command. It allows unauthenticated GET and HEAD requests to access paths formatted as /[remote:path]/object. The 'remote' part of the URL is parsed and used to initialize backend configurations. Because inline remote configuration can include backend options that execute local commands during initialization, an attacker can exploit this by sending a single unauthenticated GET or HEAD request that results in executing a command as the rclone process user.

Impact Analysis

This vulnerability can have severe impacts because it allows remote unauthenticated attackers to execute arbitrary commands on the system running rclone with the privileges of the rclone process user. This can lead to full system compromise, data theft, data destruction, or further attacks within the network.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49980. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart