CVE-2026-41179
Description
Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Starting in version 1.48.0 and prior to version 1.73.5, the RC endpoint operations/fsinfo is exposed without AuthRequired: true and accepts attacker-controlled fs input. Because rc.GetFs(...) supports inline backend definitions, an unauthenticated attacker can instantiate an attacker-controlled backend on demand. For the WebDAV backend, bearer_token_command is executed during backend initialization, making single-request unauthenticated local command execution possible on reachable RC deployments without global HTTP authentication. Version 1.73.5 patches the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/rclone/rcloneGo | >= 1.48.0, < 1.73.5 | 1.73.5 |
Affected products
4- osv-coords3 versionspkg:apk/chainguard/telegraf-1.39pkg:bitnami/rclonepkg:rpm/opensuse/rclone&distro=openSUSE%20Tumbleweed
< 1.39.1-r0+ 2 more
- (no CPE)range: < 1.39.1-r0
- (no CPE)range: >= 1.48.0, < 1.73.5
- (no CPE)range: < 1.73.5-1.1
Patches
Vulnerability mechanics
References
9- github.com/rclone/rclone/security/advisories/GHSA-jfwf-28xr-xw6qnvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-jfwf-28xr-xw6qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-41179ghsaADVISORY
- github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/backend/webdav/webdav.gonvdProductWEB
- github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/fs/operations/rc.gonvdProductWEB
- github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/fs/rc/cache.gonvdProductWEB
- github.com/rclone/rclone/commit/2a9e952b38e03a96bf40c9eb6e8e22199865ee3bnvdWEB
- github.com/rclone/rclone/releases/tag/v1.73.5nvdWEB
- rclone.org/changelog/nvdWEB
News mentions
1- ⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and MoreThe Hacker News · Jun 22, 2026