PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-41179 rclone CVE debrief

Rclone versions 1.48.0 through 1.73.4 contain a critical unauthenticated remote code execution vulnerability in the RC (remote control) endpoint `operations/fsinfo`. The endpoint lacks authentication requirements and accepts attacker-controlled `fs` parameters that support inline backend definitions. An unauthenticated attacker can instantiate a malicious WebDAV backend with a crafted `bearer_token_command` parameter, causing arbitrary command execution during backend initialization. This enables single-request unauthenticated local command execution on reachable RC deployments that lack global HTTP authentication. The vulnerability was patched in version 1.73.5 released on April 19, 2026.

Vendor
rclone
Product
Unknown
CVSS
CRITICAL 9.2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-23
Original CVE updated
2026-05-20
Advisory published
2026-04-23
Advisory updated
2026-05-20

Who should care

Organizations running Rclone with the RC interface enabled, particularly those exposing RC endpoints to networks without strict access controls. Cloud infrastructure teams, DevOps engineers, and security operations centers managing file synchronization workloads should prioritize patching. Systems with RC exposed to the internet or untrusted networks are at highest risk.

Technical summary

The RC (remote control) HTTP API in Rclone provides programmatic access to rclone operations. The `operations/fsinfo` endpoint retrieves filesystem information but was implemented without requiring authentication (`AuthRequired: true`). The endpoint accepts an `fs` parameter that is passed to `rc.GetFs()`, which supports inline backend definitions—allowing complete backend configuration to be specified in a single string. For the WebDAV backend, the `bearer_token_command` option specifies a shell command to execute to obtain a bearer token, and this command is executed during backend initialization. An attacker can send a single HTTP request to `operations/fsinfo` with a malicious inline WebDAV backend containing an arbitrary `bearer_token_command`, resulting in immediate command execution without authentication. This vulnerability is exploitable on any reachable RC deployment that does not have global HTTP authentication configured.

Defensive priority

critical

Recommended defensive actions

  • Upgrade Rclone to version 1.73.5 or later immediately
  • If immediate patching is not possible, disable the RC interface or restrict network access to trusted hosts only
  • Enable global HTTP authentication on RC deployments as a defense-in-depth measure
  • Review RC access logs for suspicious `operations/fsinfo` requests with inline backend definitions
  • Audit systems for unauthorized WebDAV backend configurations or unexpected command execution

Evidence notes

Vulnerability affects Rclone versions 1.48.0 through 1.73.4. CVSS 4.0 vector indicates network attack vector with low attack complexity, no privileges required, and high impact to confidentiality, integrity, and availability. CWE-78 (OS Command Injection) and CWE-306 (Missing Authentication for Critical Function) identified. Patch commit 2a9e952b38e03a96bf40c9eb6e8e22199865ee3b addresses the issue.

Official resources

2026-04-23