Description
Rclone is a command-line program to sync files and directories to and from different cloud storage providers. The RC endpoint `options/set` is exposed without `AuthRequired: true`, but it can mutate global runtime configuration, including the RC option block itself. Starting in version 1.45.0 and prior to version 1.73.5, an unauthenticated attacker can set `rc.NoAuth=true`, which disables the authorization gate for many RC methods registered with `AuthRequired: true` on reachable RC servers that are started without global HTTP authentication. This can lead to unauthorized access to sensitive administrative functionality, including configuration and operational RC methods. Version 1.73.5 patches the issue.
Published: 2026-04-22
Score: 9.2 Critical
EPSS: 6.3% Low
KEV: No
Impact: Remote Privilege Escalation / Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability in rclone allows an unauthenticated user to modify the global runtime configuration via the options/set endpoint, which lacks authentication. By setting the rc.NoAuth flag to true, an attacker can effectively bypass all authorization checks for RC methods that normally require AuthRequired:true. This exposure permits the execution of privileged administrative commands such as configuration changes, synchronization controls, and potentially arbitrary code execution on the host running rclone. The weakness is classified under CWE-15 (Path Traversal) and CWE-306 (Missing Authentication).

Affected Systems

Affected users of rclone versions starting from 1.45.0 up to, but not including, 1.73.5 are at risk. The vulnerability applies to the open‑source rclone command‑line tool distributed by the rclone project.

Risk and Exploitability

The vulnerability scores a CVSS of 9.2, indicating high severity, and an EPSS of 6% suggests a modest but non‑negligible probability of exploitation. It is not listed in CISA’s KEV catalog. Since the attack vector is remote and requires no special privileges to initiate, the risk is significant for services that expose rclone’s RC interface without proper authentication.

Generated by OpenCVE AI on April 28, 2026 at 20:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade rclone to version 1.73.5 or later to receive the patched runtime configuration handler.
  • If upgrading immediately is not possible, disable the RC interface by not starting the RC server or by configuring it to bind only to localhost.
  • Configure a global HTTP authentication layer for the RC server, and set rc.NoAuth to false to enforce authorization on all RC methods.

Generated by OpenCVE AI on April 28, 2026 at 20:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-25qr-6mpr-f7qx Rclone: Unauthenticated options/set allows runtime auth bypass, leading to sensitive operations and command execution
History

Mon, 27 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Rclone
Rclone rclone
CPEs cpe:2.3:a:rclone:rclone:*:*:*:*:*:*:*:*
Vendors & Products Rclone
Rclone rclone

Fri, 24 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-15
References
Metrics threat_severity

None

 cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Thu, 23 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Description Rclone is a command-line program to sync files and directories to and from different cloud storage providers. The RC endpoint `options/set` is exposed without `AuthRequired: true`, but it can mutate global runtime configuration, including the RC option block itself. Starting in version 1.45.0 and prior to version 1.73.5, an unauthenticated attacker can set `rc.NoAuth=true`, which disables the authorization gate for many RC methods registered with `AuthRequired: true` on reachable RC servers that are started without global HTTP authentication. This can lead to unauthorized access to sensitive administrative functionality, including configuration and operational RC methods. Version 1.73.5 patches the issue.
Title Rclone: Unauthenticated options/set allows runtime auth bypass, leading to sensitive operations and command execution
Weaknesses CWE-306
References
Metrics cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Rclone Rclone
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-28T03:55:19.022Z

Reserved: 2026-04-17T16:34:45.526Z

Link: CVE-2026-41176

cve-icon Vulnrichment

Updated: 2026-04-23T14:36:04.300Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-23T00:16:45.800

Modified: 2026-04-27T18:19:45.303

Link: CVE-2026-41176

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-22T23:57:54Z

Links: CVE-2026-41176 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T20:45:16Z

Weaknesses