CRITICAL🇵🇱 Wersja polska

CVE-2026-49980

CVSS 9.8v3.1pub. 2026-06-24upd. 2026-07-03

Rclone is a command-line program to sync files and directories to and from different cloud storage providers. From 1.46.0 until 1.74.3, rclone rcd --rc-serve accepts unauthenticated GET and HEAD requests to paths of the form: /[remote:path]/object. The remote value is parsed from the URL and passed to normal backend initialization. Inline remote configuration can set backend options that execute local commands during initialization. As a result, a single unauthenticated GET or HEAD request can execute a command as the rclone process user. This vulnerability is fixed in 1.74.3.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Rclone

    APP
    Rclone
    1.46 – 1.74.3 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Command Injection
CWE
References

Related vulnerabilities

CVE-2026-41176CRITICAL9.2PL ✓ten sam produkt

Rclone RC: pominięcie uwierzytelnienia przez endpoint options/set

CVE-2026-41179CRITICAL9.2PL ✓ten sam produkt

Rclone: nieuwierzytelnione RCE przez endpoint RC operations/fsinfo

CVE-2020-28924HIGH7.5ten sam produkt

An issue was discovered in Rclone before 1.53.3. Due to the use of a weak random number generator, the passwor...

CVE-2018-12907HIGH7.5ten sam produkt

In Rclone 1.42, use of "rclone sync" to migrate data between two Google Cloud Storage buckets might allow atta...