PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-59732 rclone CVE debrief

Rclone's archive extract feature can write files outside the user-selected destination prefix when extracting a crafted archive containing parent path components like ../. This issue allows creation or overwrite of sibling objects in the same bucket or path scope. The vulnerability is fixed in Rclone version 1.74.4. This issue has a CVSS score of 5, indicating medium severity. The vulnerability can be exploited by an attacker to write extracted files outside the intended destination directory, potentially creating or overwriting sibling objects in the same bucket or path.

Vendor
rclone
Product
Unknown
CVSS
MEDIUM 5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-14
Original CVE updated
2026-07-17
Advisory published
2026-07-14
Advisory updated
2026-07-17

Who should care

Users of Rclone who handle archive extraction, especially in cloud storage environments, should be aware of this vulnerability. Updating to version 1.74.4 or later is recommended. System administrators and security teams responsible for managing Rclone deployments should review the vulnerability details and take necessary actions to mitigate the risk.

Technical summary

CVE-2026-59732 is a path traversal vulnerability in Rclone's archive extract feature. Prior to version 1.74.4, Rclone does not properly handle parent path components like ../ in archive files. This allows an attacker to write extracted files outside the intended destination directory, potentially creating or overwriting sibling objects in the same bucket or path. The vulnerability has a CVSS score of 5 (MEDIUM severity). The issue is fixed in Rclone version 1.74.4.

Defensive priority

Medium priority due to the potential for data overwrite or unauthorized file creation. Users should prioritize updating to version 1.74.4 or later and review their Rclone deployments for potential exposure.

Recommended defensive actions

  • Update Rclone to version 1.74.4 or later
  • Review and validate archive files before extraction
  • Monitor for suspicious file system changes
  • Verify the integrity of extracted files
  • Implement additional monitoring and logging for Rclone activity
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-07-14T22:17:29.920Z and last modified on 2026-07-17T03:12:05.760Z. The NVD entry is currently Analyzed. There is limited information available about the specific details of the vulnerability beyond what is provided in the CVE and NVD entries. Users should verify the information with the vendor and consider the potential impact on their systems.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-14T22:17:29.920Z and has not been modified since then. The NVD entry is currently Analyzed.