Back to overview

CVE-2026-41176

CRITICAL Exploitation: PoC
9.8
CVSS 3.1
Description
Rclone is a command-line program to sync files and directories to and from different cloud storage providers. The RC endpoint `options/set` is exposed without `AuthRequired: true`, but it can mutate global runtime configuration, including the RC option block itself. Starting in version 1.45.0 and prior to version 1.73.5, an unauthenticated attacker can set `rc.NoAuth=true`, which disables the authorization gate for many RC methods registered with `AuthRequired: true` on reachable RC servers that are started without global HTTP authentication. This can lead to unauthorized access to sensitive administrative functionality, including configuration and operational RC methods. Version 1.73.5 patches the issue.

Metadata

CVE ID
CVE-2026-41176
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-04-17 16:34 UTC
Published
2026-04-22 23:57 UTC
Last updated
2026-06-30 03:20 UTC
Primary CWE
CWE-306
CWE-306: Missing Authentication for Critical Function
Vendor / Product
rclone / rclone
Sources
cve.org  ·  NVD

Severity & Metrics

9.8 CRITICAL CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SSVC — CISA Coordinator
Exploitation
PoC
Automatable
yes
Tech. Impact
total
Affected products (1)
VendorProductPlatformVersions
rclone rclone >= 1.45.0, < 1.73.5
Weakness (CWE)
CWESourceDescription
CWE-306 cna CWE-306: Missing Authentication for Critical Function
CWE-15 adp External Control of System or Configuration Setting
CVSS scores (2)
ScoreSeverityVersionSourceVector
9.8 CRITICAL 3.1 adp CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.2 CRITICAL 4.0 cna CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References (3)
Back to overview