cbcvebase.
CVE-2026-49980
published 2026-06-24

CVE-2026-49980: Rclone is a command-line program to sync files and directories to and from different cloud storage providers. From 1.46.0 until 1.74.3, rclone rcd --rc-serve…

PriorityP269critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.70%
48.5th percentile
Rclone is a command-line program to sync files and directories to and from different cloud storage providers. From 1.46.0 until 1.74.3, rclone rcd --rc-serve accepts unauthenticated GET and HEAD requests to paths of the form: /[remote:path]/object. The remote value is parsed from the URL and passed to normal backend initialization. Inline remote configuration can set backend options that execute local commands during initialization. As a result, a single unauthenticated GET or HEAD request can execute a command as the rclone process user. This vulnerability is fixed in 1.74.3.

Affected

3 ranges
VendorProductVersion rangeFixed in
cryostatcryostat-storage-rhel9
github.comrclone_rclone>= 1.46.0 < 1.74.31.74.3
rclonerclone>= 1.46 < 1.74.31.74.3

Detection & IOCsextracted from sources · hover to see the quote

url/[remote:path]/object
commandrclone rcd --rc-serve
  • Detect unauthenticated inbound GET or HEAD HTTP requests whose URL path matches the pattern /[remote:path]/object (i.e., contains a colon-delimited remote name followed by a path) against any process running 'rclone rcd --rc-serve'.
  • Alert on rclone process command lines containing both 'rcd' and '--rc-serve' arguments, especially when bound to 0.0.0.0 or without RC authentication flags (--rc-user, --rc-pass, --rc-htpasswd).
  • Monitor for inline remote configuration in URL paths passed to rclone rcd, as these can embed backend options that trigger local command execution during backend initialization.
  • Flag rclone versions between 1.46.0 and 1.74.2 (inclusive) running with --rc-serve as vulnerable; fixed version is 1.74.3.
  • ·OADP and RHACM are not affected because they do not run 'rclone rcd --rc-serve' with an unauthenticated RC listener; OADP uses Restic (rclone serve restic --stdio) and Kopia (WebDAV serve with RC authentication), while RHACM VolSync uses rclone sync/copy or only compile-time dependencies.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa9.8CRITICAL
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.