Impact
An unauthenticated user can call the RC endpoint options/set on rclone, which lacks proper authentication enforcement. By setting rc.NoAuth to true, the attacker turns off the authorization guard for many RC methods that normally require AuthRequired:true. This allows the attacker to invoke privileged administrative operations, such as altering configuration and executing operational RC methods, without having to authenticate.
Affected Systems
Any deployment of rclone version 1.45.0 through the pre‑1.73.5 releases that is started with the RC server enabled is vulnerable. The vulnerability affects the rclone command‑line tool distributed by the rclone project and is not limited to any particular operating system or host configuration.
Risk and Exploitability
The CVSS base score of 9.2 reflects the severity of gaining unauthorized administrative access. An EPSS score of 35% indicates a moderately high likelihood that this flaw is actively exploited. The flaw is not listed in CISA’s KEV catalog, but the remote attack vector combined with no authentication requirement makes it attractive for attackers who expose the RC interface publicly.
OpenCVE Enrichment
Github GHSA
Ubuntu USN