CVE-2026-41176
published 2026-04-23CVE-2026-41176: Rclone is a command-line program to sync files and directories to and from different cloud storage providers. The RC endpoint `options/set` is exposed without…
PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
34.73%
98.2th percentile
Rclone is a command-line program to sync files and directories to and from different cloud storage providers. The RC endpoint `options/set` is exposed without `AuthRequired: true`, but it can mutate global runtime configuration, including the RC option block itself. Starting in version 1.45.0 and prior to version 1.73.5, an unauthenticated attacker can set `rc.NoAuth=true`, which disables the authorization gate for many RC methods registered with `AuthRequired: true` on reachable RC servers that are started without global HTTP authentication. This can lead to unauthorized access to sensitive administrative functionality, including configuration and operational RC methods. Version 1.73.5 patches the issue.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | rclone_rclone | >= 1.45.0 < 1.73.5 | 1.73.5 |
| oadp | oadp-mustgather-rhel9 | — | — |
| oadp | oadp-velero-restic-restore-helper-rhel9 | — | — |
| oadp | oadp-velero-rhel9 | — | — |
| rclone | rclone | — | — |
| rclone | rclone | >= 1.45 < 1.73.5 | 1.73.5 |
| rhacm2 | volsync-rhel9 | — | — |
| ubuntu | rclone | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploit attempt: look for unauthenticated HTTP POST to /options/set with JSON body containing 'NoAuth':true — a 200 response with body '{}' confirms successful auth bypass. ↗
- →Exploit chain: attacker first probes /config/listremotes expecting a 403, then POSTs {"rc":{"NoAuth":true}} to /options/set, then re-requests /config/listremotes expecting 200 with 'remotes' in body — monitor for this exact sequence from unauthenticated sources. ↗
- →Vulnerable versions are rclone >= 1.45.0 and < 1.73.5; flag any RC server (started via `rclone rcd` or `--rc`) running these versions without HTTP authentication as high-priority targets. ↗
- →Alert on any POST to /options/set that is not accompanied by valid HTTP authentication credentials on an rclone RC server — this endpoint should never be reachable without auth. ↗
- →After a successful NoAuth bypass, attackers may access any RC method registered with AuthRequired:true — monitor for subsequent unauthenticated calls to sensitive RC endpoints (e.g. /config/listremotes, /core/command, /operations/*) following a /options/set POST. ↗
- ·Vulnerability is only exploitable when the rclone RC server is started (via `rclone rcd` or `--rc` flag) AND deployed without any required HTTP authentication. RC servers bound only to localhost are not remotely exploitable. ↗
- ·The attacker's cleanup step resets NoAuth to false after exploitation ({"rc":{"NoAuth":false}}), which may make forensic detection harder — look for the full request sequence rather than just the NoAuth=true payload. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.2CRITICALCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.2CRITICAL
vendor_redhat9.2CRITICAL
vendor_ubuntu9.2CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Rclone vulnerabilities
vendor_ubuntu·2026-05-25·CVSS 9.2
CVE-2026-41176 [CRITICAL] Rclone vulnerabilities
Title: Rclone vulnerabilities
Summary: Several security issues were fixed in Rclone.
It was discovered that Rclone incorrectly handled authorization in the remote
control API. An attacker could possibly use this issue to obtain sensitive
information. (CVE-2026-41176)
It was discovered that Rclone incorrectly handled backend instantiation via the
remote control API. An attacker could possibly use this issue to execute
arbitrary code. This issue only affected Ubuntu 24.04 LTS, Ubuntu 25.10 and
Ubuntu 26.04 LTS. (CVE-2026-41179)
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
github.com/rclone/rclone: Rclone: Unauthorized access to administrative functions through unauthenticated Remote Control endpoint.
vendor_redhat·2026-04-22·CVSS 9.2
CVE-2026-41176 [CRITICAL] CWE-15 github.com/rclone/rclone: Rclone: Unauthorized access to administrative functions through unauthenticated Remote Control endpoint.
github.com/rclone/rclone: Rclone: Unauthorized access to administrative functions through unauthenticated Remote Control endpoint.
A flaw was found in Rclone, a command-line program designed for synchronizing files with various cloud storage providers. An unauthenticated attacker can exploit an exposed Remote Control (RC) endpoint, `options/set`, to disable the authorization mechanism for other RC methods. This vulnerability allows the attacker to gain unauthorized access to sensitive administrative functionality, including configuration and operational control of the Rclone server.
Statement: The vulnerable functionality exists in the RC server. Thus, for the vulnerability to be exploited, the RC server must be started, via `rclone rcd` or the `--rc` flag. Additionally, the RC server mu
GHSA
Rclone: Unauthenticated options/set allows runtime auth bypass, leading to sensitive operations and command execution
ghsa·2026-04-22
CVE-2026-41176 [CRITICAL] CWE-306 Rclone: Unauthenticated options/set allows runtime auth bypass, leading to sensitive operations and command execution
Rclone: Unauthenticated options/set allows runtime auth bypass, leading to sensitive operations and command execution
### Summary
The RC endpoint `options/set` is exposed without `AuthRequired: true`, but it can mutate global runtime configuration, including the RC option block itself. An unauthenticated attacker can set `rc.NoAuth=true`, which disables the authorization gate for many RC methods registered with `AuthRequired: true` on reachable RC servers that are started without global HTTP authentication. This can lead to unauthorized access to sensitive administrative functionality, including configuration and operational RC methods.
### Preconditions
Preconditions for this vulnerability are:
- The rclone remote control API **must** be enabled, either by the `--rc` flag or by runnin
VulnCheck
rclone rclone Missing Authentication for Critical Function
vulncheck·2026·CVSS 9.2
CVE-2026-41176 [CRITICAL] rclone rclone Missing Authentication for Critical Function
rclone rclone Missing Authentication for Critical Function
Rclone is a command-line program to sync files and directories to and from different cloud storage providers. The RC endpoint `options/set` is exposed without `AuthRequired: true`, but it can mutate global runtime configuration, including the RC option block itself. Starting in version 1.45.0 and prior to version 1.73.5, an unauthenticated attacker can set `rc.NoAuth=true`, which disables the authorization gate for many RC methods registered with `AuthRequired: true` on reachable RC servers that are started without global HTTP authentication. This can lead to unauthorized access to sensitive administrative functionality, including configuration and operational RC methods. Version 1.73.5 patches the issue.
Affected: rclone rclone
No detection rules found.
Nuclei
Rclone RC - Broken Access Control
nuclei·CVSS 9.2
CVE-2026-41176 [CRITICAL] Rclone RC - Broken Access Control
Rclone RC - Broken Access Control
Rclone >= 1.45.0 and = 1.45.0 and < 1.73.5 contains a broken access control vulnerability caused by unauthenticated access to the RC endpoint `options/set` allowing mutation of global runtime configuration, letting unauthenticated attackers access sensitive administrative functions, exploit requires RC server started without global HTTP authentication.
impact: |
Unauthenticated attackers can access sensitive administrative functions, potentially leading to full control over the RC server configuration and operations.
remediation: |
Upgrade to version 1.73.5 or later.
reference:
- https://github.com/rclone/rclone/security/advisories/GHSA-25qr-6mpr-f7qx
- https://nvd.nist.gov/vuln/detail/CVE-2026-41176
classification:
cvss-score: 9.2
cve-id: CVE-2026-41176
Bugzilla
CVE-2026-41176 golang-github-rclone-gofakes3: Rclone: Unauthorized access to administrative functions through unauthenticated Remote Control endpoint. [fedora-all]
bugzilla·2026-04-30·CVSS 9.2
CVE-2026-41176 [CRITICAL] CVE-2026-41176 golang-github-rclone-gofakes3: Rclone: Unauthorized access to administrative functions through unauthenticated Remote Control endpoint. [fedora-all]
CVE-2026-41176 golang-github-rclone-gofakes3: Rclone: Unauthorized access to administrative functions through unauthenticated Remote Control endpoint. [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-41176 rclone-browser: Rclone: Unauthorized access to administrative functions through unauthenticated Remote Control endpoint. [fedora-all]
bugzilla·2026-04-30·CVSS 9.2
CVE-2026-41176 [CRITICAL] CVE-2026-41176 rclone-browser: Rclone: Unauthorized access to administrative functions through unauthenticated Remote Control endpoint. [fedora-all]
CVE-2026-41176 rclone-browser: Rclone: Unauthorized access to administrative functions through unauthenticated Remote Control endpoint. [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-41176 restic: Rclone: Unauthorized access to administrative functions through unauthenticated Remote Control endpoint. [epel-all]
bugzilla·2026-04-30·CVSS 9.2
CVE-2026-41176 [CRITICAL] CVE-2026-41176 restic: Rclone: Unauthorized access to administrative functions through unauthenticated Remote Control endpoint. [epel-all]
CVE-2026-41176 restic: Rclone: Unauthorized access to administrative functions through unauthenticated Remote Control endpoint. [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-41176 restic: Rclone: Unauthorized access to administrative functions through unauthenticated Remote Control endpoint. [fedora-all]
bugzilla·2026-04-30·CVSS 9.2
CVE-2026-41176 [CRITICAL] CVE-2026-41176 restic: Rclone: Unauthorized access to administrative functions through unauthenticated Remote Control endpoint. [fedora-all]
CVE-2026-41176 restic: Rclone: Unauthorized access to administrative functions through unauthenticated Remote Control endpoint. [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-41176 golang-github-rclone-ftp: Rclone: Unauthorized access to administrative functions through unauthenticated Remote Control endpoint. [fedora-all]
bugzilla·2026-04-30·CVSS 9.2
CVE-2026-41176 [CRITICAL] CVE-2026-41176 golang-github-rclone-ftp: Rclone: Unauthorized access to administrative functions through unauthenticated Remote Control endpoint. [fedora-all]
CVE-2026-41176 golang-github-rclone-ftp: Rclone: Unauthorized access to administrative functions through unauthenticated Remote Control endpoint. [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-41176 gphotosdl: Rclone: Unauthorized access to administrative functions through unauthenticated Remote Control endpoint. [fedora-all]
bugzilla·2026-04-30·CVSS 9.2
CVE-2026-41176 [CRITICAL] CVE-2026-41176 gphotosdl: Rclone: Unauthorized access to administrative functions through unauthenticated Remote Control endpoint. [fedora-all]
CVE-2026-41176 gphotosdl: Rclone: Unauthorized access to administrative functions through unauthenticated Remote Control endpoint. [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-41176 rclone-browser: Rclone: Unauthorized access to administrative functions through unauthenticated Remote Control endpoint. [epel-all]
bugzilla·2026-04-30·CVSS 9.2
CVE-2026-41176 [CRITICAL] CVE-2026-41176 rclone-browser: Rclone: Unauthorized access to administrative functions through unauthenticated Remote Control endpoint. [epel-all]
CVE-2026-41176 rclone-browser: Rclone: Unauthorized access to administrative functions through unauthenticated Remote Control endpoint. [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-41176 rclone: Rclone: Unauthorized access to administrative functions through unauthenticated Remote Control endpoint. [fedora-all]
bugzilla·2026-04-23·CVSS 9.2
CVE-2026-41176 [CRITICAL] CVE-2026-41176 rclone: Rclone: Unauthorized access to administrative functions through unauthenticated Remote Control endpoint. [fedora-all]
CVE-2026-41176 rclone: Rclone: Unauthorized access to administrative functions through unauthenticated Remote Control endpoint. [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-41176 rclone: Rclone: Unauthorized access to administrative functions through unauthenticated Remote Control endpoint. [epel-all]
bugzilla·2026-04-23·CVSS 9.2
CVE-2026-41176 [CRITICAL] CVE-2026-41176 rclone: Rclone: Unauthorized access to administrative functions through unauthenticated Remote Control endpoint. [epel-all]
CVE-2026-41176 rclone: Rclone: Unauthorized access to administrative functions through unauthenticated Remote Control endpoint. [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-41176 github.com/rclone/rclone: Rclone: Unauthorized access to administrative functions through unauthenticated Remote Control endpoint.
bugzilla·2026-04-23·CVSS 9.2
CVE-2026-41176 [CRITICAL] CVE-2026-41176 github.com/rclone/rclone: Rclone: Unauthorized access to administrative functions through unauthenticated Remote Control endpoint.
CVE-2026-41176 github.com/rclone/rclone: Rclone: Unauthorized access to administrative functions through unauthenticated Remote Control endpoint.
Rclone is a command-line program to sync files and directories to and from different cloud storage providers. The RC endpoint `options/set` is exposed without `AuthRequired: true`, but it can mutate global runtime configuration, including the RC option block itself. Starting in version 1.45.0 and prior to version 1.73.5, an unauthenticated attacker can set `rc.NoAuth=true`, which disables the authorization gate for many RC methods registered with `AuthRequired: true` on reachable RC servers that are started without global HTTP authentication. This can lead to unauthorized access to sensitive administrative functionality, including configuration
Hackernews
⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More
blogs_hackernews·2026-06-22·CVSS 9.8
CVE-2026-24858 [CRITICAL] ⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More
It’s Monday again.
This week’s threat list looks painfully familiar: abused integrations, fake tools, poisoned websites, ransomware crews trying to shut down security tools, and mobile malware asking for way too much control.
The annoying part is how little of this feels new. Weak credentials, sketchy downloads, browser extensions with too much access, and WordPress sites are used to push more attacks. Nothing clever. Just sloppy, cheap, and effective.
Here’s the Monday recap. Let’s get into the week’s mess.
## ⚡ Threat of the We
https://github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/fs/rc/config.gohttps://github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/fs/rc/rcserver/rcserver.gohttps://github.com/rclone/rclone/security/advisories/GHSA-25qr-6mpr-f7qxhttps://access.redhat.com/security/cve/CVE-2026-41176https://bugzilla.redhat.com/show_bug.cgi?id=2460989https://github.com/rclone/rclone/security/advisories/GHSA-25qr-6mpr-f7qxhttps://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-41176.json
2026-04-23
Published
Exploited in the wild