Description
Rclone is a command-line program to sync files and directories to and from different cloud storage providers. The RC endpoint `options/set` is exposed without `AuthRequired: true`, but it can mutate global runtime configuration, including the RC option block itself. Starting in version 1.45.0 and prior to version 1.73.5, an unauthenticated attacker can set `rc.NoAuth=true`, which disables the authorization gate for many RC methods registered with `AuthRequired: true` on reachable RC servers that are started without global HTTP authentication. This can lead to unauthorized access to sensitive administrative functionality, including configuration and operational RC methods. Version 1.73.5 patches the issue.
Published: 2026-04-22
Score: 9.2 Critical
EPSS: 34.7% Moderate
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unauthenticated user can call the RC endpoint options/set on rclone, which lacks proper authentication enforcement. By setting rc.NoAuth to true, the attacker turns off the authorization guard for many RC methods that normally require AuthRequired:true. This allows the attacker to invoke privileged administrative operations, such as altering configuration and executing operational RC methods, without having to authenticate.

Affected Systems

Any deployment of rclone version 1.45.0 through the pre‑1.73.5 releases that is started with the RC server enabled is vulnerable. The vulnerability affects the rclone command‑line tool distributed by the rclone project and is not limited to any particular operating system or host configuration.

Risk and Exploitability

The CVSS base score of 9.2 reflects the severity of gaining unauthorized administrative access. An EPSS score of 35% indicates a moderately high likelihood that this flaw is actively exploited. The flaw is not listed in CISA’s KEV catalog, but the remote attack vector combined with no authentication requirement makes it attractive for attackers who expose the RC interface publicly.

Generated by OpenCVE AI on June 18, 2026 at 08:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade rclone to version 1.73.5 or later to apply the fixed runtime configuration handler.
  • If an upgrade cannot occur immediately, stop the RC server or bind it to localhost so that it is not reachable from the network.
  • Configure a global HTTP authentication layer on the RC server and ensure that rc.NoAuth remains set to false, thereby enforcing the expected AuthRequired checks for all RC methods.

Generated by OpenCVE AI on June 18, 2026 at 08:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-25qr-6mpr-f7qx Rclone: Unauthenticated options/set allows runtime auth bypass, leading to sensitive operations and command execution
Ubuntu USN Ubuntu USN USN-8299-1 Rclone vulnerabilities
History

Mon, 27 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Rclone
Rclone rclone
CPEs cpe:2.3:a:rclone:rclone:*:*:*:*:*:*:*:*
Vendors & Products Rclone
Rclone rclone

Fri, 24 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-15
References
Metrics threat_severity

None

cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important


Thu, 23 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 23 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Description Rclone is a command-line program to sync files and directories to and from different cloud storage providers. The RC endpoint `options/set` is exposed without `AuthRequired: true`, but it can mutate global runtime configuration, including the RC option block itself. Starting in version 1.45.0 and prior to version 1.73.5, an unauthenticated attacker can set `rc.NoAuth=true`, which disables the authorization gate for many RC methods registered with `AuthRequired: true` on reachable RC servers that are started without global HTTP authentication. This can lead to unauthorized access to sensitive administrative functionality, including configuration and operational RC methods. Version 1.73.5 patches the issue.
Title Rclone: Unauthenticated options/set allows runtime auth bypass, leading to sensitive operations and command execution
Weaknesses CWE-306
References
Metrics cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-30T12:08:50.033Z

Reserved: 2026-04-17T16:34:45.526Z

Link: CVE-2026-41176

cve-icon Vulnrichment

Updated: 2026-04-23T14:36:04.300Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-23T00:16:45.800

Modified: 2026-06-17T10:46:16.713

Link: CVE-2026-41176

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-22T23:57:54Z

Links: CVE-2026-41176 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T09:00:16Z

Weaknesses
  • CWE-15

    External Control of System or Configuration Setting

  • CWE-306

    Missing Authentication for Critical Function