CVE-2026-41176
Description
Rclone is a command-line program to sync files and directories to and from different cloud storage providers. The RC endpoint options/set is exposed without AuthRequired: true, but it can mutate global runtime configuration, including the RC option block itself. Starting in version 1.45.0 and prior to version 1.73.5, an unauthenticated attacker can set rc.NoAuth=true, which disables the authorization gate for many RC methods registered with AuthRequired: true on reachable RC servers that are started without global HTTP authentication. This can lead to unauthorized access to sensitive administrative functionality, including configuration and operational RC methods. Version 1.73.5 patches the issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/rclone/rcloneGo | >= 1.45.0, < 1.73.5 | 1.73.5 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/rclone/rclone/security/advisories/GHSA-25qr-6mpr-f7qxnvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-25qr-6mpr-f7qxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-41176ghsaADVISORY
- github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/fs/rc/config.gonvdProductWEB
- github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/fs/rc/rcserver/rcserver.gonvdProductWEB
News mentions
1- Iranian MOIS Actors & the Cyber Crime ConnectionCheck Point Research · Mar 10, 2026