Symlink Vulnerability in Rclone Command-Line Program
CVE-2026-54572
7.5HIGH
What is CVE-2026-54572?
Rclone is a versatile command-line tool for syncing files with various cloud storage providers. A vulnerability existed in versions preceding 1.74.4, where the tool, when using the -l/--links option, serialized symbolic links as text objects without proper validation of the target during recreation at the local destination. This flaw could be exploited by attackers through a controlled remote, allowing them to create an escaping symlink. Consequently, this could enable malicious writes to occur outside of the designated destination, potentially compromising system integrity. The issue has been addressed in version 1.74.4, emphasizing the importance of updating to safeguard against this security risk.
Affected Version(s)
rclone < 1.74.4
