CVE-2026-41179 CRITICAL

CVE-2026-41179: RClone: Unauthenticated operations/fsinfo allows attacker-controlled backend instantiation and local command execution

Vendor Rclone

Product rclone

Weakness CWE-78

Published April 23, 2026

Last update June 30, 2026

View on NVD All CVEs

CVSS base score

9.2/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Starting in version 1.48.0 and prior to version 1.73.5, the RC endpoint `operations/fsinfo` is exposed without `AuthRequired: true` and accepts attacker-controlled `fs` input. Because `rc.GetFs(...)` supports inline backend definitions, an unauthenticated attacker can instantiate an attacker-controlled backend on demand. For the WebDAV backend, `bearer_token_command` is executed during backend initialization, making single-request unauthenticated local command execution possible on reachable RC deployments without global HTTP authentication. Version 1.73.5 patches the issue.

Key dates

02Disclosure timeline

April 23, 2026 CVE published

June 30, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-41179 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/78.html

Related vulnerabilities

CVE-2026-41179: RClone: Unauthenticated operations/fsinfo allows attacker-controlled backend instantiation and local command execution

01Description

02Disclosure timeline

03References

04Related CVE