Unauthenticated Command Execution in Rclone Cloud Storage Sync Tool
CVE-2026-49980
9.8CRITICAL
What is CVE-2026-49980?
Rclone, a versatile command-line utility for synchronizing files across various cloud storage services, is susceptible to an unauthenticated command execution flaw. Specifically, versions from 1.46.0 until 1.74.3 allow unauthenticated GET and HEAD requests targeting paths in the format /[remote:path]/object. This parsing oversight permits potentially harmful backend configurations, enabling an attacker to execute arbitrary commands on the system running the Rclone process. To mitigate this risk, users are advised to upgrade to version 1.74.3 or later.
Affected Version(s)
rclone >= 1.46.0, < 1.74.3
