CRITICAL
rclone
CVE published 2026-04-23
CVE-2026-41179
Rclone versions 1.48.0 through 1.73.4 contain a critical unauthenticated remote code execution vulnerability in the RC (remote control) endpoint `operations/fsinfo`. The endpoint lacks authentication requirements and accepts attacker-controlled `fs` parameters that support inline backend definitions. An unauthenticated attacker can instantiate a malicious WebDAV backend with a crafted `bearer_token_comman [truncated]