CVE-2026-41176
Published: 23 April 2026
Description
Rclone is a command-line program to sync files and directories to and from different cloud storage providers. The RC endpoint `options/set` is exposed without `AuthRequired: true`, but it can mutate global runtime configuration, including the RC option block itself. Starting…
more
in version 1.45.0 and prior to version 1.73.5, an unauthenticated attacker can set `rc.NoAuth=true`, which disables the authorization gate for many RC methods registered with `AuthRequired: true` on reachable RC servers that are started without global HTTP authentication. This can lead to unauthorized access to sensitive administrative functionality, including configuration and operational RC methods. Version 1.73.5 patches the issue.
Mitigating Controls (NIST 800-53 r5)AI
Explicitly identifies and limits organizational actions permitted without identification or authentication, directly preventing exposure of the unauthenticated /options/set endpoint that mutates critical RC configuration.
Enforces approved authorizations for logical access to system resources, blocking unauthorized attackers from exploiting the RC endpoint to disable authentication gates.
Defines and enforces logical access restrictions for changes to system components, mitigating unauthenticated mutation of global runtime configuration including rc.NoAuth settings.
Security SummaryAI
CVE-2026-41176 is a critical authentication bypass vulnerability in Rclone, a command-line program for syncing files and directories to and from cloud storage providers. The issue affects the RC (Remote Control) endpoint `/options/set`, which is exposed without requiring authentication (`AuthRequired: true`). This endpoint allows mutation of global runtime configuration, including the RC option block itself. The vulnerability impacts Rclone versions starting from 1.45.0 up to but not including 1.73.5, enabling unauthenticated attackers to alter key settings on reachable RC servers launched without global HTTP authentication.
An unauthenticated attacker with network access to the RC server can exploit this by sending a request to the `/options/set` endpoint to set `rc.NoAuth=true`. This disables the authorization gate for numerous other RC methods that are registered with `AuthRequired: true`, granting unauthorized access to sensitive administrative functionality. Potential impacts include manipulation of configurations and execution of operational RC methods, as reflected in the vulnerability's CVSS v3.1 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and association with CWE-306 (Missing Authentication for Critical Function).
The Rclone security advisory (GHSA-25qr-6mpr-f7qx) and related code changes confirm that version 1.73.5 patches the issue by addressing the unauthenticated mutation of the RC configuration. Security practitioners should prioritize upgrading affected RC servers to version 1.73.5 or later to mitigate the risk.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an authentication bypass in a network-exposed Remote Control (RC) HTTP endpoint of Rclone, enabling unauthenticated remote attackers to mutate configurations and access administrative functions, directly mapping to exploitation of public-facing applications and remote services.