Vulnerability Details CVE-2026-41179
Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Starting in version 1.48.0 and prior to version 1.73.5, the RC endpoint `operations/fsinfo` is exposed without `AuthRequired: true` and accepts attacker-controlled `fs` input. Because `rc.GetFs(...)` supports inline backend definitions, an unauthenticated attacker can instantiate an attacker-controlled backend on demand. For the WebDAV backend, `bearer_token_command` is executed during backend initialization, making single-request unauthenticated local command execution possible on reachable RC deployments without global HTTP authentication. Version 1.73.5 patches the issue.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.06
EPSS Ranking 90.7%
CVSS Severity
CVSS v3 Score 9.8
References
- https://github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/backend/webdav/webdav.go
- https://github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/fs/operations/rc.go
- https://github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/fs/rc/cache.go
- https://github.com/rclone/rclone/security/advisories/GHSA-jfwf-28xr-xw6q
- https://github.com/rclone/rclone/security/advisories/GHSA-jfwf-28xr-xw6q
Products affected by CVE-2026-41179
-
cpe:2.3:a:rclone:rclone:1.48.0
-
cpe:2.3:a:rclone:rclone:1.49.0
-
cpe:2.3:a:rclone:rclone:1.49.1
-
cpe:2.3:a:rclone:rclone:1.49.2
-
cpe:2.3:a:rclone:rclone:1.49.3
-
cpe:2.3:a:rclone:rclone:1.49.4
-
cpe:2.3:a:rclone:rclone:1.49.5
-
cpe:2.3:a:rclone:rclone:1.50.0
-
cpe:2.3:a:rclone:rclone:1.50.1
-
cpe:2.3:a:rclone:rclone:1.50.2
-
cpe:2.3:a:rclone:rclone:1.51.0
-
cpe:2.3:a:rclone:rclone:1.52.0
-
cpe:2.3:a:rclone:rclone:1.52.1
-
cpe:2.3:a:rclone:rclone:1.52.2
-
cpe:2.3:a:rclone:rclone:1.52.3
-
cpe:2.3:a:rclone:rclone:1.53.0
-
cpe:2.3:a:rclone:rclone:1.53.1
-
cpe:2.3:a:rclone:rclone:1.53.2
-
cpe:2.3:a:rclone:rclone:1.53.3
-
cpe:2.3:a:rclone:rclone:1.53.4
-
cpe:2.3:a:rclone:rclone:1.54.0
-
cpe:2.3:a:rclone:rclone:1.54.1
-
cpe:2.3:a:rclone:rclone:1.55.0
-
cpe:2.3:a:rclone:rclone:1.55.1
-
cpe:2.3:a:rclone:rclone:1.56.0
-
cpe:2.3:a:rclone:rclone:1.56.1
-
cpe:2.3:a:rclone:rclone:1.56.2
-
cpe:2.3:a:rclone:rclone:1.57.0
-
cpe:2.3:a:rclone:rclone:1.58.0
-
cpe:2.3:a:rclone:rclone:1.58.1
-
cpe:2.3:a:rclone:rclone:1.59.0
-
cpe:2.3:a:rclone:rclone:1.59.1
-
cpe:2.3:a:rclone:rclone:1.59.2
-
cpe:2.3:a:rclone:rclone:1.60.0
-
cpe:2.3:a:rclone:rclone:1.60.1
-
cpe:2.3:a:rclone:rclone:1.61.0
-
cpe:2.3:a:rclone:rclone:1.61.1
-
cpe:2.3:a:rclone:rclone:1.62.0
-
cpe:2.3:a:rclone:rclone:1.62.1
-
cpe:2.3:a:rclone:rclone:1.62.2
-
cpe:2.3:a:rclone:rclone:1.63.0
-
cpe:2.3:a:rclone:rclone:1.63.1
-
cpe:2.3:a:rclone:rclone:1.64.0
-
cpe:2.3:a:rclone:rclone:1.64.1
-
cpe:2.3:a:rclone:rclone:1.64.2
-
cpe:2.3:a:rclone:rclone:1.65.0
-
cpe:2.3:a:rclone:rclone:1.65.1
-
cpe:2.3:a:rclone:rclone:1.65.2
-
cpe:2.3:a:rclone:rclone:1.66.0
-
cpe:2.3:a:rclone:rclone:1.67.0
-
cpe:2.3:a:rclone:rclone:1.68.0
-
cpe:2.3:a:rclone:rclone:1.68.1
-
cpe:2.3:a:rclone:rclone:1.68.2
-
cpe:2.3:a:rclone:rclone:1.69.0
-
cpe:2.3:a:rclone:rclone:1.69.1
-
cpe:2.3:a:rclone:rclone:1.69.2
-
cpe:2.3:a:rclone:rclone:1.69.3
-
cpe:2.3:a:rclone:rclone:1.70.0
-
cpe:2.3:a:rclone:rclone:1.70.1
-
cpe:2.3:a:rclone:rclone:1.70.2
-
cpe:2.3:a:rclone:rclone:1.70.3
-
cpe:2.3:a:rclone:rclone:1.71.0
-
cpe:2.3:a:rclone:rclone:1.71.1
-
cpe:2.3:a:rclone:rclone:1.71.2
-
cpe:2.3:a:rclone:rclone:1.72.0
-
cpe:2.3:a:rclone:rclone:1.72.1
-
cpe:2.3:a:rclone:rclone:1.73.0
-
cpe:2.3:a:rclone:rclone:1.73.1
-
cpe:2.3:a:rclone:rclone:1.73.2
-
cpe:2.3:a:rclone:rclone:1.73.3
-
cpe:2.3:a:rclone:rclone:1.73.4