Unauthenticated Command Execution in Rclone Cloud Storage Sync Tool
CVE-2026-49980

9.8CRITICAL

Key Information:

Vendor

Rclone

Status
Vendor
CVE Published:
24 June 2026

What is CVE-2026-49980?

Rclone, a versatile command-line utility for synchronizing files across various cloud storage services, is susceptible to an unauthenticated command execution flaw. Specifically, versions from 1.46.0 until 1.74.3 allow unauthenticated GET and HEAD requests targeting paths in the format /[remote:path]/object. This parsing oversight permits potentially harmful backend configurations, enabling an attacker to execute arbitrary commands on the system running the Rclone process. To mitigate this risk, users are advised to upgrade to version 1.74.3 or later.

Affected Version(s)

rclone >= 1.46.0, < 1.74.3

References

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.