CVE-2026-49980 is a critical vulnerability in Rclone, a command-line program for syncing files and directories with cloud storage providers. The vulnerability allows unauthenticated GET and HEAD requests to execute commands as the rclone process user. This issue was introduced in version 1.46.0 and fixed in version 1.74.3. The vulnerability has a CVSS score of 9.8 and is considered critical. Rclone users [truncated]
Rclone versions 1.48.0 through 1.73.4 contain a critical unauthenticated remote code execution vulnerability in the RC (remote control) endpoint `operations/fsinfo`. The endpoint lacks authentication requirements and accepts attacker-controlled `fs` parameters that support inline backend definitions. An unauthenticated attacker can instantiate a malicious WebDAV backend with a crafted `bearer_token_comman [truncated]
CVE-2026-41176 is a critical vulnerability in Rclone, a command-line program for syncing files and directories with cloud storage providers. The vulnerability exists in the RC endpoint `options/set`, which is exposed without requiring authentication. This allows an unauthenticated attacker to mutate global runtime configuration, including the RC option block itself. Specifically, an attacker can set `rc.N [truncated]