PatchSiren cyber security CVE debrief
CVE-2026-59733 rclone CVE debrief
CVE-2026-59733 is a high-severity vulnerability in Rclone, a command-line program for syncing files and directories with cloud storage providers. The issue, now patched in version 1.74.4, involves a path traversal vulnerability in the `rclone serve restic --private-repos` command. An authenticated user could exploit this vulnerability to read, overwrite, or delete another user's private repository on certain backends.
- Vendor
- rclone
- Product
- Unknown
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-14
- Original CVE updated
- 2026-07-16
- Advisory published
- 2026-07-14
- Advisory updated
- 2026-07-16
Who should care
Users of Rclone, especially those using the `rclone serve restic --private-repos` command, should be aware of this vulnerability and take immediate action to update to version 1.74.4 or later. This vulnerability is particularly concerning for users with multiple users or shared repositories, as it could allow unauthorized access to sensitive data.
Technical summary
The vulnerability exists in the way Rclone handles URL paths when serving restic repositories with the `--private-repos` flag. Specifically, the program uses the routed user path segment to build the backend object key, without properly cleaning the URL path. This allows an authenticated user to include `..` in a request, potentially accessing files outside their intended repository. The issue is exacerbated by the fact that some backends clean path components, which could lead to unintended behavior.
Defensive priority
High
Recommended defensive actions
- Update Rclone to version 1.74.4 or later
- Review and restrict access to sensitive repositories
- Monitor for suspicious activity on Rclone instances
- Implement additional security measures, such as two-factor authentication
- Perform a thorough review of Rclone configurations and user access controls
- Verify that all Rclone instances are running with the latest security patches
- Conduct regular security audits to identify potential vulnerabilities in Rclone deployments
Evidence notes
The CVE record was published on 2026-07-14T22:17:30.050Z and last modified on 2026-07-16T05:16:26.443Z. The NVD entry is currently Undergoing Analysis. Multiple source references are available, including commits and a security advisory from the Rclone GitHub repository.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-14T22:17:30.050Z and has not been modified since then. The NVD entry is currently Undergoing Analysis.