CVE-2026-41176
CriticalCVSS 9.8Exploitation Probability (EPSS)
Very high risk98th percentile — higher than 98% of all known CVEs
Summary
In Rclone, the RC endpoint `options/set` is exposed without `AuthRequired: true`, allowing mutation of global runtime configuration. An unauthenticated attacker can set `rc.NoAuth=true`, disabling authorization for many RC methods that require authentication, leading to unauthorized access to sensitive administrative functionality.
Risk Assessment
The organization faces the risk of unauthorized takeover of the Rclone server, including access to configuration and operational RC methods, potentially resulting in data leakage or service disruption.
Recommendation
Immediately update Rclone to version 1.73.5 or later, which contains the fix for this vulnerability.
Original NVD description (English source)
Rclone is a command-line program to sync files and directories to and from different cloud storage providers. The RC endpoint `options/set` is exposed without `AuthRequired: true`, but it can mutate global runtime configuration, including the RC option block itself. Starting in version 1.45.0 and prior to version 1.73.5, an unauthenticated attacker can set `rc.NoAuth=true`, which disables the authorization gate for many RC methods registered with `AuthRequired: true` on reachable RC servers that are started without global HTTP authentication. This can lead to unauthorized access to sensitive administrative functionality, including configuration and operational RC methods. Version 1.73.5 patches the issue.

