CVE-2026-49980
published 2026-06-24CVE-2026-49980: Rclone is a command-line program to sync files and directories to and from different cloud storage providers. From 1.46.0 until 1.74.3, rclone rcd --rc-serve…
PriorityP269critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.70%
48.5th percentile
Rclone is a command-line program to sync files and directories to and from different cloud storage providers. From 1.46.0 until 1.74.3, rclone rcd --rc-serve accepts unauthenticated GET and HEAD requests to paths of the form: /[remote:path]/object. The remote value is parsed from the URL and passed to normal backend initialization. Inline remote configuration can set backend options that execute local commands during initialization. As a result, a single unauthenticated GET or HEAD request can execute a command as the rclone process user. This vulnerability is fixed in 1.74.3.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cryostat | cryostat-storage-rhel9 | — | — |
| github.com | rclone_rclone | >= 1.46.0 < 1.74.3 | 1.74.3 |
| rclone | rclone | >= 1.46 < 1.74.3 | 1.74.3 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated inbound GET or HEAD HTTP requests whose URL path matches the pattern /[remote:path]/object (i.e., contains a colon-delimited remote name followed by a path) against any process running 'rclone rcd --rc-serve'. ↗
- →Alert on rclone process command lines containing both 'rcd' and '--rc-serve' arguments, especially when bound to 0.0.0.0 or without RC authentication flags (--rc-user, --rc-pass, --rc-htpasswd). ↗
- →Monitor for inline remote configuration in URL paths passed to rclone rcd, as these can embed backend options that trigger local command execution during backend initialization. ↗
- →Flag rclone versions between 1.46.0 and 1.74.2 (inclusive) running with --rc-serve as vulnerable; fixed version is 1.74.3. ↗
- ·OADP and RHACM are not affected because they do not run 'rclone rcd --rc-serve' with an unauthenticated RC listener; OADP uses Restic (rclone serve restic --stdio) and Kopia (WebDAV serve with RC authentication), while RHACM VolSync uses rclone sync/copy or only compile-time dependencies. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa9.8CRITICAL
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Rclone up to 1.74.2 Configuration Remote missing authentication (GHSA-qw24-gh76-8rvv)
vuldb·2026-06-24·CVSS 9.8
CVE-2026-49980 [CRITICAL] Rclone up to 1.74.2 Configuration Remote missing authentication (GHSA-qw24-gh76-8rvv)
A vulnerability was found in Rclone up to 1.74.2. It has been declared as critical. The impacted element is an unknown function of the component Configuration Handler. The manipulation of the argument Remote results in missing authentication.
This vulnerability is reported as CVE-2026-49980. The attack can be launched remotely. No exploit exists.
It is recommended to upgrade the affected component.
GHSA
Rclone: Unauthenticated command execution in `rclone rcd --rc-serve` via inline remote instantiation, bypassing CVE-2026-41179 fix
ghsa·2026-06-16·CVSS 9.8
CVE-2026-49980 [CRITICAL] CWE-306 Rclone: Unauthenticated command execution in `rclone rcd --rc-serve` via inline remote instantiation, bypassing CVE-2026-41179 fix
Rclone: Unauthenticated command execution in `rclone rcd --rc-serve` via inline remote instantiation, bypassing CVE-2026-41179 fix
## Summary
`rclone rcd --rc-serve` accepts unauthenticated `GET` and `HEAD` requests to paths of the form:
```text
/[remote:path]/object
```
The `remote` value is parsed from the URL and passed to normal backend initialization. Inline remote configuration can set backend options that execute local commands during initialization. As a result, a single unauthenticated `GET` or `HEAD` request can execute a command as the rclone process user.
Versions from 1.55.0 onwards are vulnerable to command execution. Earlier versions (from 1.46.0) are vulnerable to the unauthenticated local file read described under "Additional impact" but not to command execution, beca
Red Hat
github.com/rclone/rclone: Rclone: Remote Code Execution via unauthenticated requests when `rcd --rc-serve` is enabled
vendor_redhat·2026-06-24·CVSS 9.8
CVE-2026-49980 [CRITICAL] CWE-78 github.com/rclone/rclone: Rclone: Remote Code Execution via unauthenticated requests when `rcd --rc-serve` is enabled
github.com/rclone/rclone: Rclone: Remote Code Execution via unauthenticated requests when `rcd --rc-serve` is enabled
A flaw was found in Rclone, a command-line program for cloud storage synchronization. When the `rcd --rc-serve` option is enabled, an unauthenticated remote attacker can send specially crafted GET or HEAD requests to execute arbitrary commands as the Rclone process user. This vulnerability allows for remote code execution, potentially compromising the system where Rclone is running.
Statement: OpenShift API for Data Protection (OADP) and Red Hat Advanced Cluster Management for Kubernetes (RHACM) do not run rclone rcd --rc-serve with an unauthenticated RC listener. OADP relies on Restic (rclone serve restic --stdio) and Kopia (WebDAV serve with RC authentication), while RH
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-49980 gphotosdl: Rclone: Remote Code Execution via unauthenticated requests when `rcd --rc-serve` is enabled [fedora-all]
bugzilla·2026-06-25·CVSS 9.8
CVE-2026-49980 [CRITICAL] CVE-2026-49980 gphotosdl: Rclone: Remote Code Execution via unauthenticated requests when `rcd --rc-serve` is enabled [fedora-all]
CVE-2026-49980 gphotosdl: Rclone: Remote Code Execution via unauthenticated requests when `rcd --rc-serve` is enabled [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-49980 rclone-browser: Rclone: Remote Code Execution via unauthenticated requests when `rcd --rc-serve` is enabled [fedora-all]
bugzilla·2026-06-25·CVSS 9.8
CVE-2026-49980 [CRITICAL] CVE-2026-49980 rclone-browser: Rclone: Remote Code Execution via unauthenticated requests when `rcd --rc-serve` is enabled [fedora-all]
CVE-2026-49980 rclone-browser: Rclone: Remote Code Execution via unauthenticated requests when `rcd --rc-serve` is enabled [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-49980 restic: Rclone: Remote Code Execution via unauthenticated requests when `rcd --rc-serve` is enabled [fedora-all]
bugzilla·2026-06-25·CVSS 9.8
CVE-2026-49980 [CRITICAL] CVE-2026-49980 restic: Rclone: Remote Code Execution via unauthenticated requests when `rcd --rc-serve` is enabled [fedora-all]
CVE-2026-49980 restic: Rclone: Remote Code Execution via unauthenticated requests when `rcd --rc-serve` is enabled [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-49980 rclone: Rclone: Remote Code Execution via unauthenticated requests when `rcd --rc-serve` is enabled [fedora-all]
bugzilla·2026-06-25·CVSS 9.8
CVE-2026-49980 [CRITICAL] CVE-2026-49980 rclone: Rclone: Remote Code Execution via unauthenticated requests when `rcd --rc-serve` is enabled [fedora-all]
CVE-2026-49980 rclone: Rclone: Remote Code Execution via unauthenticated requests when `rcd --rc-serve` is enabled [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-49980 rclone: Rclone: Remote Code Execution via unauthenticated requests when `rcd --rc-serve` is enabled [epel-all]
bugzilla·2026-06-25·CVSS 9.8
CVE-2026-49980 [CRITICAL] CVE-2026-49980 rclone: Rclone: Remote Code Execution via unauthenticated requests when `rcd --rc-serve` is enabled [epel-all]
CVE-2026-49980 rclone: Rclone: Remote Code Execution via unauthenticated requests when `rcd --rc-serve` is enabled [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-49980 restic: Rclone: Remote Code Execution via unauthenticated requests when `rcd --rc-serve` is enabled [epel-all]
bugzilla·2026-06-25·CVSS 9.8
CVE-2026-49980 [CRITICAL] CVE-2026-49980 restic: Rclone: Remote Code Execution via unauthenticated requests when `rcd --rc-serve` is enabled [epel-all]
CVE-2026-49980 restic: Rclone: Remote Code Execution via unauthenticated requests when `rcd --rc-serve` is enabled [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-49980 rclone-browser: Rclone: Remote Code Execution via unauthenticated requests when `rcd --rc-serve` is enabled [epel-all]
bugzilla·2026-06-25·CVSS 9.8
CVE-2026-49980 [CRITICAL] CVE-2026-49980 rclone-browser: Rclone: Remote Code Execution via unauthenticated requests when `rcd --rc-serve` is enabled [epel-all]
CVE-2026-49980 rclone-browser: Rclone: Remote Code Execution via unauthenticated requests when `rcd --rc-serve` is enabled [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-49980 github.com/rclone/rclone: Rclone: Remote Code Execution via unauthenticated requests when `rcd --rc-serve` is enabled
bugzilla·2026-06-24·CVSS 9.8
CVE-2026-49980 [CRITICAL] CVE-2026-49980 github.com/rclone/rclone: Rclone: Remote Code Execution via unauthenticated requests when `rcd --rc-serve` is enabled
CVE-2026-49980 github.com/rclone/rclone: Rclone: Remote Code Execution via unauthenticated requests when `rcd --rc-serve` is enabled
Rclone is a command-line program to sync files and directories to and from different cloud storage providers. From 1.46.0 until 1.74.3, rclone rcd --rc-serve accepts unauthenticated GET and HEAD requests to paths of the form: /[remote:path]/object. The remote value is parsed from the URL and passed to normal backend initialization. Inline remote configuration can set backend options that execute local commands during initialization. As a result, a single unauthenticated GET or HEAD request can execute a command as the rclone process user. This vulnerability is fixed in 1.74.3.
Hackernews
⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More
blogs_hackernews·2026-06-22·CVSS 9.8
CVE-2026-24858 [CRITICAL] ⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More
It’s Monday again.
This week’s threat list looks painfully familiar: abused integrations, fake tools, poisoned websites, ransomware crews trying to shut down security tools, and mobile malware asking for way too much control.
The annoying part is how little of this feels new. Weak credentials, sketchy downloads, browser extensions with too much access, and WordPress sites are used to push more attacks. Nothing clever. Just sloppy, cheap, and effective.
Here’s the Monday recap. Let’s get into the week’s mess.
## ⚡ Threat of the We
2026-06-24
Published