EXECUTIVE SUMMARY:
Multiple security vulnerabilities have been identified in the RClone command-line program, which is used to sync files and directories to and from different cloud storage providers. Specifically, vulnerabilities were found in the RC endpoint 'operations/fsinfo' and the RC endpoint 'options/set' in versions 1.48.0 to 1.73.4 of the package rclone. These vulnerabilities allow for unauthenticated remote command execution, runtime auth bypass, and unauthorized access to sensitive administrative functionality. The business risk and impact of these vulnerabilities are significant, as they can lead to unauthorized access to sensitive data and operational methods, potentially resulting in data breaches, system compromise, and reputational damage. • CVE-2026-41179 with a CVSS score of 9.0 – The RC endpoint 'operations/fsinfo' is exposed without 'AuthRequired: true' and accepts attacker-controlled 'fs' input. This allows an unauthenticated attacker to instantiate an attacker-controlled backend on demand, making single-request unauthenticated local command execution possible on reachable RC deployments without global HTTP authentication. • CVE-2026-41176 with a CVSS score of 9.0 – The RC endpoint 'options/set' is exposed without 'AuthRequired: true', but it can mutate global runtime configuration, including the RC option block itself. An unauthenticated attacker can set 'rc.NoAuth=true', which disables the authorization gate for many RC methods registered with 'AuthRequired: true' on reachable RC servers that are started without global HTTP authentication, allowing for unauthorized access to sensitive administrative functionality. The risk and urgency of these vulnerabilities are high, as they can be exploited by an unauthenticated attacker to gain unauthorized access to sensitive data and operational methods. If exploited, these vulnerabilities could lead to significant business consequences, including data breaches, system compromise, and reputational damage.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
Multiple security vulnerabilities have been identified in the RClone command-line program, which is used to sync files and directories to and from different cloud storage providers. Specifically, vulnerabilities were found in the RC endpoint 'operations/fsinfo' and the RC endpoint 'options/set' in versions 1.48.0 to 1.73.4 of the package rclone. These vulnerabilities allow for unauthenticated remote command execution, runtime auth bypass, and unauthorized access to sensitive administrative functionality. The business risk and impact of these vulnerabilities are significant, as they can lead to unauthorized access to sensitive data and operational methods, potentially resulting in data breaches, system compromise, and reputational damage. • CVE-2026-41179 with a CVSS score of 9.0 – The RC endpoint 'operations/fsinfo' is exposed without 'AuthRequired: true' and accepts attacker-controlled 'fs' input. This allows an unauthenticated attacker to instantiate an attacker-controlled backend on demand, making single-request unauthenticated local command execution possible on reachable RC deployments without global HTTP authentication. • CVE-2026-41176 with a CVSS score of 9.0 – The RC endpoint 'options/set' is exposed without 'AuthRequired: true', but it can mutate global runtime configuration, including the RC option block itself. An unauthenticated attacker can set 'rc.NoAuth=true', which disables the authorization gate for many RC methods registered with 'AuthRequired: true' on reachable RC servers that are started without global HTTP authentication, allowing for unauthorized access to sensitive administrative functionality. The risk and urgency of these vulnerabilities are high, as they can be exploited by an unauthenticated attacker to gain unauthorized access to sensitive data and operational methods. If exploited, these vulnerabilities could lead to significant business consequences, including data breaches, system compromise, and reputational damage.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-jfwf-28xr-xw6q
https://github.com/advisories/GHSA-25qr-6mpr-f7qx