PatchSiren

rclone CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

CRITICAL rclone CVE published 2026-06-24

CVE-2026-49980

CVE-2026-49980 is a critical vulnerability in Rclone, a command-line program for syncing files and directories with cloud storage providers. The vulnerability allows unauthenticated GET and HEAD requests to execute commands as the rclone process user. This issue was introduced in version 1.46.0 and fixed in version 1.74.3. The vulnerability has a CVSS score of 9.8 and is considered critical. Rclone users [truncated]

CRITICAL rclone CVE published 2026-04-23

CVE-2026-41179

Rclone versions 1.48.0 through 1.73.4 contain a critical unauthenticated remote code execution vulnerability in the RC (remote control) endpoint `operations/fsinfo`. The endpoint lacks authentication requirements and accepts attacker-controlled `fs` parameters that support inline backend definitions. An unauthenticated attacker can instantiate a malicious WebDAV backend with a crafted `bearer_token_comman [truncated]

CRITICAL rclone CVE published 2026-04-23

CVE-2026-41176

CVE-2026-41176 is a critical vulnerability in Rclone, a command-line program for syncing files and directories with cloud storage providers. The vulnerability exists in the RC endpoint `options/set`, which is exposed without requiring authentication. This allows an unauthenticated attacker to mutate global runtime configuration, including the RC option block itself. Specifically, an attacker can set `rc.N [truncated]