CVE-2026-43617 MEDIUM

CVE-2026-43617: Rsync < 3.4.3 Authorization Bypass via Hostname Resolution

Vendor Rsyncproject
Product rsync
Weakness CWE-289
Published May 20, 2026
Last update May 20, 2026

CVSS base score

6.3/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Rsync version 3.4.2 and prior contain an authorization bypass vulnerability in the rsync daemon's hostname-based access control list enforcement when configured with chroot. Attackers can bypass hostname-based deny rules by controlling the PTR record for their source IP address, allowing connections from hostnames that administrators intended to deny when reverse DNS resolution fails and defaults to UNKNOWN.

Key dates

02Disclosure timeline

May 20, 2026 CVE published
May 20, 2026 Record updated