cbcvebase.
CVE-2026-41176
published 2026-04-23

CVE-2026-41176: Rclone is a command-line program to sync files and directories to and from different cloud storage providers. The RC endpoint `options/set` is exposed without…

PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
34.73%
98.2th percentile
Rclone is a command-line program to sync files and directories to and from different cloud storage providers. The RC endpoint `options/set` is exposed without `AuthRequired: true`, but it can mutate global runtime configuration, including the RC option block itself. Starting in version 1.45.0 and prior to version 1.73.5, an unauthenticated attacker can set `rc.NoAuth=true`, which disables the authorization gate for many RC methods registered with `AuthRequired: true` on reachable RC servers that are started without global HTTP authentication. This can lead to unauthorized access to sensitive administrative functionality, including configuration and operational RC methods. Version 1.73.5 patches the issue.

Affected

8 ranges
VendorProductVersion rangeFixed in
github.comrclone_rclone>= 1.45.0 < 1.73.51.73.5
oadpoadp-mustgather-rhel9
oadpoadp-velero-restic-restore-helper-rhel9
oadpoadp-velero-rhel9
rclonerclone
rclonerclone>= 1.45 < 1.73.51.73.5
rhacm2volsync-rhel9
ubunturclone

Detection & IOCsextracted from sources · hover to see the quote

url/options/set
url/config/listremotes
commandPOST /options/set HTTP/1.1 Content-Type: application/json {"rc":{"NoAuth":true}}
other{"rc":{"NoAuth":true}}
  • Detect exploit attempt: look for unauthenticated HTTP POST to /options/set with JSON body containing 'NoAuth':true — a 200 response with body '{}' confirms successful auth bypass.
  • Exploit chain: attacker first probes /config/listremotes expecting a 403, then POSTs {"rc":{"NoAuth":true}} to /options/set, then re-requests /config/listremotes expecting 200 with 'remotes' in body — monitor for this exact sequence from unauthenticated sources.
  • Vulnerable versions are rclone >= 1.45.0 and < 1.73.5; flag any RC server (started via `rclone rcd` or `--rc`) running these versions without HTTP authentication as high-priority targets.
  • Alert on any POST to /options/set that is not accompanied by valid HTTP authentication credentials on an rclone RC server — this endpoint should never be reachable without auth.
  • After a successful NoAuth bypass, attackers may access any RC method registered with AuthRequired:true — monitor for subsequent unauthenticated calls to sensitive RC endpoints (e.g. /config/listremotes, /core/command, /operations/*) following a /options/set POST.
  • ·Vulnerability is only exploitable when the rclone RC server is started (via `rclone rcd` or `--rc` flag) AND deployed without any required HTTP authentication. RC servers bound only to localhost are not remotely exploitable.
  • ·The attacker's cleanup step resets NoAuth to false after exploitation ({"rc":{"NoAuth":false}}), which may make forensic detection harder — look for the full request sequence rather than just the NoAuth=true payload.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.2CRITICALCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.2CRITICAL
vendor_redhat9.2CRITICAL
vendor_ubuntu9.2CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.