CVE-2026-41176
- Source
- https://cve.org/CVERecord?id=CVE-2026-41176
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-41176.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2026-41176
- Aliases
- Downstream
- Related
- Published
- 2026-04-22T23:57:54.075Z
- Modified
- 2026-04-28T11:51:30.413414Z
- Severity
-
- 9.2 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Rclone: Unauthenticated options/set allows runtime auth bypass, leading to sensitive operations and command execution
- Details
-
Rclone is a command-line program to sync files and directories to and from different cloud storage providers. The RC endpoint
options/setis exposed withoutAuthRequired: true, but it can mutate global runtime configuration, including the RC option block itself. Starting in version 1.45.0 and prior to version 1.73.5, an unauthenticated attacker can setrc.NoAuth=true, which disables the authorization gate for many RC methods registered withAuthRequired: trueon reachable RC servers that are started without global HTTP authentication. This can lead to unauthorized access to sensitive administrative functionality, including configuration and operational RC methods. Version 1.73.5 patches the issue. - Database specific
{ "cwe_ids": [ "CWE-306" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41176.json", "cna_assigner": "GitHub_M" }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41176.json
- https://github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/fs/rc/config.go
- https://github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/fs/rc/rcserver/rcserver.go
- https://github.com/rclone/rclone/security/advisories/GHSA-25qr-6mpr-f7qx
- https://nvd.nist.gov/vuln/detail/CVE-2026-41176
Affected packages
Git / github.com/rclone/rclone
Affected versions
v0.*
v0.90
v0.91
v0.92
v0.93
v0.94
v0.95
v0.96
v0.97
v0.98
v0.99
v1.*
v1.00
v1.01
v1.03
v1.04
v1.05
v1.06
v1.07
v1.08
v1.09
v1.10
v1.11
v1.12
v1.13
v1.14
v1.15
v1.16
v1.17
v1.18
v1.19
v1.20
v1.21
v1.22
v1.23
v1.24
v1.25
v1.26
v1.27
v1.28
v1.29
v1.29-1-gbb75d80
v1.30
v1.31
v1.32
v1.33
v1.34
v1.35
v1.36
v1.37
v1.38
v1.39
v1.40
v1.41
v1.42
v1.43
v1.44
v1.45
v1.46
v1.46.0
v1.47.0
v1.48.0
v1.49.0
v1.50.0
v1.51.0
v1.52.0
v1.53.0
v1.54.0
v1.55.0
v1.56.0
v1.57.0
v1.58.0
v1.59.0
v1.60.0
v1.61.0
v1.62.0
v1.63.0
v1.64.0
v1.65.0
v1.66.0
v1.67.0
v1.68.0
v1.69.0
v1.70.0
v1.71.0
v1.72.0
v1.73.0
v1.73.1
v1.73.2
v1.73.3
v1.73.4