PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-59733 rclone CVE debrief

CVE-2026-59733 is a high-severity vulnerability in Rclone, a command-line program for syncing files and directories with cloud storage providers. The issue, now patched in version 1.74.4, involves a path traversal vulnerability in the `rclone serve restic --private-repos` command. An authenticated user could exploit this vulnerability to read, overwrite, or delete another user's private repository on certain backends.

Vendor
rclone
Product
Unknown
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-14
Original CVE updated
2026-07-16
Advisory published
2026-07-14
Advisory updated
2026-07-16

Who should care

Users of Rclone, especially those using the `rclone serve restic --private-repos` command, should be aware of this vulnerability and take immediate action to update to version 1.74.4 or later. This vulnerability is particularly concerning for users with multiple users or shared repositories, as it could allow unauthorized access to sensitive data.

Technical summary

The vulnerability exists in the way Rclone handles URL paths when serving restic repositories with the `--private-repos` flag. Specifically, the program uses the routed user path segment to build the backend object key, without properly cleaning the URL path. This allows an authenticated user to include `..` in a request, potentially accessing files outside their intended repository. The issue is exacerbated by the fact that some backends clean path components, which could lead to unintended behavior.

Defensive priority

High

Recommended defensive actions

  • Update Rclone to version 1.74.4 or later
  • Review and restrict access to sensitive repositories
  • Monitor for suspicious activity on Rclone instances
  • Implement additional security measures, such as two-factor authentication
  • Perform a thorough review of Rclone configurations and user access controls
  • Verify that all Rclone instances are running with the latest security patches
  • Conduct regular security audits to identify potential vulnerabilities in Rclone deployments

Evidence notes

The CVE record was published on 2026-07-14T22:17:30.050Z and last modified on 2026-07-16T05:16:26.443Z. The NVD entry is currently Undergoing Analysis. Multiple source references are available, including commits and a security advisory from the Rclone GitHub repository.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-14T22:17:30.050Z and has not been modified since then. The NVD entry is currently Undergoing Analysis.