CVE-2026-49980 rclone CVE debrief

Who should care

Rclone users, particularly those using versions between 1.46.0 and 1.74.3, should be aware of this vulnerability and take immediate action to update to a secure version. Additionally, administrators and security teams responsible for cloud storage and synchronization services should prioritize patching and monitoring for potential exploitation. This vulnerability's critical severity and ease of exploitation make it a high priority for remediation.

Technical summary

The vulnerability exists in the rclone rcd --rc-serve functionality, which accepts unauthenticated GET and HEAD requests to specific paths. These requests can trigger the execution of local commands during backend initialization, leveraging inline remote configuration. This allows an attacker to execute arbitrary commands as the user running the rclone process. The issue arises from the lack of authentication for these requests and the ability to configure backends in a way that executes local commands. The vulnerability is characterized by its high impact on confidentiality, integrity, and availability.

Defensive priority

This vulnerability has a high defensive priority due to its critical CVSS score of 9.8 and the potential for unauthenticated command execution. Immediate action is required to update Rclone to version 1.74.3 or later.

Recommended defensive actions

• Update Rclone to version 1.74.3 or later
• Restrict access to the rclone rcd --rc-serve functionality
• Monitor for suspicious unauthenticated requests
• Implement additional authentication mechanisms for rclone rcd
• Review and limit backend configurations to prevent command execution

Evidence notes

The evidence for this vulnerability comes from the official CVE record and the NVD detail page. The CVE was published on June 24, 2026, and last modified on June 29, 2026. The vulnerability is considered critical with a CVSS score of 9.8. The fix for this vulnerability is included in Rclone version 1.74.3.

Official resources