PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-41176 rclone CVE debrief

CVE-2026-41176 is a critical vulnerability in Rclone, a command-line program for syncing files and directories with cloud storage providers. The vulnerability exists in the RC endpoint `options/set`, which is exposed without requiring authentication. This allows an unauthenticated attacker to mutate global runtime configuration, including the RC option block itself. Specifically, an attacker can set `rc.NoAuth=true`, disabling the authorization gate for many RC methods registered with `AuthRequired: true` on reachable RC servers started without global HTTP authentication. This can lead to unauthorized access to sensitive administrative functionality, including configuration and operational RC methods. The vulnerability affects Rclone versions starting from 1.45.0 and prior to 1.73.5. Version 1.73.5 patches the issue.

Vendor
rclone
Product
Unknown
CVSS
CRITICAL 9.2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-23
Original CVE updated
2026-06-30
Advisory published
2026-04-23
Advisory updated
2026-06-30

Who should care

Organizations using Rclone for cloud storage synchronization should prioritize patching this vulnerability. Unauthenticated access can lead to significant security breaches, including unauthorized configuration changes and potential data exposure. Defender should focus on updating Rclone to version 1.73.5 or later and review their current Rclone configurations and usage.

Technical summary

The RC endpoint `options/set` in Rclone is exposed without authentication requirements. An unauthenticated attacker can exploit this to disable authentication for other RC methods, gaining unauthorized access to administrative functionality. This affects Rclone versions from 1.45.0 up to but not including 1.73.5. The issue is patched in version 1.73.5. The vulnerability is characterized by a CVSS score of 9.2 and a severity of CRITICAL.

Defensive priority

High. Immediate patching of Rclone to version 1.73.5 or later is recommended. Review current configurations and usage to ensure no unauthorized access has been granted.

Recommended defensive actions

  • Update Rclone to version 1.73.5 or later
  • Review and restrict access to RC endpoints
  • Monitor for suspicious activity on Rclone instances
  • Implement additional authentication mechanisms for RC servers
  • Conduct a thorough inventory of Rclone usage within the organization

Evidence notes

The CVE-2026-41176 vulnerability is well-documented in various sources, including the official CVE record and NVD detail pages. Vendor advisories and mitigation strategies are available, emphasizing the importance of updating to version 1.73.5. The vulnerability's criticality and potential impact underscore the need for prompt action.

Official resources

This article is AI-assisted and based on the supplied source corpus.