CVE Catalog

CVE-2026-41179

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Very high risk
9.20%

95th percentile — higher than 95% of all known CVEs

Summary

In Rclone from version 1.48.0 to 1.73.4, the RC endpoint `operations/fsinfo` is exposed without `AuthRequired: true` and accepts attacker-controlled `fs` input. This allows an unauthenticated attacker to achieve remote command execution by leveraging the WebDAV backend with the `bearer_token_command` parameter.

Risk Assessment

The organization is at risk of remote arbitrary command execution by an unauthenticated attacker, potentially leading to full server compromise, data theft, or cloud infrastructure takeover.

Recommendation

Immediately upgrade Rclone to version 1.73.5 or later. If upgrading is not possible, disable access to the RC endpoint or configure global HTTP authentication.

Original NVD description (English source)

Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Starting in version 1.48.0 and prior to version 1.73.5, the RC endpoint `operations/fsinfo` is exposed without `AuthRequired: true` and accepts attacker-controlled `fs` input. Because `rc.GetFs(...)` supports inline backend definitions, an unauthenticated attacker can instantiate an attacker-controlled backend on demand. For the WebDAV backend, `bearer_token_command` is executed during backend initialization, making single-request unauthenticated local command execution possible on reachable RC deployments without global HTTP authentication. Version 1.73.5 patches the issue.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS