VYPR
Critical severity9.8NVD Advisory· Published Apr 23, 2026· Updated May 20, 2026

CVE-2026-41179

CVE-2026-41179

Description

Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Starting in version 1.48.0 and prior to version 1.73.5, the RC endpoint operations/fsinfo is exposed without AuthRequired: true and accepts attacker-controlled fs input. Because rc.GetFs(...) supports inline backend definitions, an unauthenticated attacker can instantiate an attacker-controlled backend on demand. For the WebDAV backend, bearer_token_command is executed during backend initialization, making single-request unauthenticated local command execution possible on reachable RC deployments without global HTTP authentication. Version 1.73.5 patches the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/rclone/rcloneGo
>= 1.48.0, < 1.73.51.73.5

Affected products

4

Patches

Vulnerability mechanics

References

9

News mentions

1