Unauthenticated Command Execution Vulnerability in Rclone by Rclone
CVE-2026-41179
9.2CRITICAL
What is CVE-2026-41179?
The Rclone tool, designed for file synchronization with various cloud storage systems, has a vulnerability stemming from the unsecured RC endpoint operations/fsinfo. In versions 1.48.0 through 1.73.4, this endpoint allows unauthenticated attackers to send controlled fs input, which can instantiate malicious backends. Particularly concerning is the WebDAV backend that executes bearer_token_command upon its initialization, leading to potential local command execution without requiring authorization. This serious flaw highlights the importance of implementing proper authentication measures in cloud synchronization tools.
Affected Version(s)
rclone >= 1.48.0, < 1.73.5
References
EPSS Score
9% chance of being exploited in the next 30 days.
CVSS V4
Score:
9.2
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None
Timeline
Vulnerability published
Vulnerability Reserved
