EXECUTIVE SUMMARY:
CVE-2026-49980 with a CVSS score of 9.8 is a severe vulnerability in the rclone remote control daemon backend module, specifically impacting versions 1.55.0 through 1.74.2, which allows unauthenticated attackers to execute system actions due to the incorrect processing of incoming web request paths under specific configuration modes. This vulnerability can be exploited by an attacker via a simple web request, such as a GET or HEAD request to a specially crafted path, which can be triggered remotely using a malicious webpage with a hidden image tag, allowing the attacker to insert custom connection options and execute local commands silently. The attacker gains complete access rights under the context of the running process user, enabling them to take full control of the system, which can lead to severe business impacts, including data breaches and system compromise. The exploitation of this vulnerability requires the rclone remote control daemon to be running and configured to accept incoming requests, and the attacker must be able to send a crafted request to the vulnerable system, which can be done using a web browser or other tools, and there are no specific prerequisites or conditions required for exploitation beyond the vulnerable version of rclone being installed and configured.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-49980 with a CVSS score of 9.8 is a severe vulnerability in the rclone remote control daemon backend module, specifically impacting versions 1.55.0 through 1.74.2, which allows unauthenticated attackers to execute system actions due to the incorrect processing of incoming web request paths under specific configuration modes. This vulnerability can be exploited by an attacker via a simple web request, such as a GET or HEAD request to a specially crafted path, which can be triggered remotely using a malicious webpage with a hidden image tag, allowing the attacker to insert custom connection options and execute local commands silently. The attacker gains complete access rights under the context of the running process user, enabling them to take full control of the system, which can lead to severe business impacts, including data breaches and system compromise. The exploitation of this vulnerability requires the rclone remote control daemon to be running and configured to accept incoming requests, and the attacker must be able to send a crafted request to the vulnerable system, which can be done using a web browser or other tools, and there are no specific prerequisites or conditions required for exploitation beyond the vulnerable version of rclone being installed and configured.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update rclone to version 1.74.3 or greater.
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/rclone-command-execution/