CVE-2026-41179
Published: 23 April 2026
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2026-41179 affects Rclone, a command-line program for syncing files and directories to and from cloud storage providers. The vulnerability exists in versions 1.48.0 through 1.73.4, specifically in the RC endpoint `operations/fsinfo`, which is exposed without the `AuthRequired: true` setting and accepts attacker-controlled `fs` input. This allows `rc.GetFs(...)` to instantiate an attacker-controlled backend on demand, as it supports inline backend definitions. For the WebDAV backend, the `bearer_token_command` executes during initialization, enabling command execution.
An unauthenticated attacker can exploit this on any reachable RC deployment lacking global HTTP authentication. By sending a single crafted request to the `operations/fsinfo` endpoint with a malicious WebDAV backend configuration, the attacker triggers execution of an arbitrary local command via the `bearer_token_command` feature, achieving remote code execution without prior authentication.
The rclone security advisory GHSA-jfwf-28xr-xw6q confirms that version 1.73.5 patches the issue by addressing the unauthenticated endpoint exposure. Practitioners should upgrade to Rclone 1.73.5 or later and review RC configurations to enforce authentication on all endpoints. Relevant code changes are detailed in the project's GitHub repository for the WebDAV backend, RC operations, and cache modules.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability enables unauthenticated remote code execution via a crafted request to the exposed public-facing RC endpoint (`operations/fsinfo`) in Rclone, directly mapping to T1190: Exploit Public-Facing Application.