CVE Catalog

CVE-2026-41176

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Very high risk
34.73%

98th percentile — higher than 98% of all known CVEs

Summary

In Rclone, the RC endpoint `options/set` is exposed without `AuthRequired: true`, allowing mutation of global runtime configuration. An unauthenticated attacker can set `rc.NoAuth=true`, disabling authorization for many RC methods that require authentication, leading to unauthorized access to sensitive administrative functionality.

Risk Assessment

The organization faces the risk of unauthorized takeover of the Rclone server, including access to configuration and operational RC methods, potentially resulting in data leakage or service disruption.

Recommendation

Immediately update Rclone to version 1.73.5 or later, which contains the fix for this vulnerability.

Original NVD description (English source)

Rclone is a command-line program to sync files and directories to and from different cloud storage providers. The RC endpoint `options/set` is exposed without `AuthRequired: true`, but it can mutate global runtime configuration, including the RC option block itself. Starting in version 1.45.0 and prior to version 1.73.5, an unauthenticated attacker can set `rc.NoAuth=true`, which disables the authorization gate for many RC methods registered with `AuthRequired: true` on reachable RC servers that are started without global HTTP authentication. This can lead to unauthorized access to sensitive administrative functionality, including configuration and operational RC methods. Version 1.73.5 patches the issue.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS