Path Traversal Vulnerability in Rclone Command-Line Tool
CVE-2026-59732

5MEDIUM

Key Information:

Vendor

Rclone

Status
Vendor
CVE Published:
14 July 2026

What is CVE-2026-59732?

The vulnerability in Rclone, a command-line tool for syncing files across various cloud storage services, allows users to extract files from crafted archives to unintended directories. Specifically, prior to version 1.74.4, the 'archive extract' feature could be manipulated via parent path components (e.g., '../') in the archive file, potentially leading to the creation or overwriting of files in neighbouring directory structures within the same storage scope. This issue poses significant data integrity risks, highlighting the importance of updating to the secured version to mitigate potential exploitation.

Affected Version(s)

rclone < 1.74.4

References

CVSS V3.1

Score:
5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.