Description
Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Starting in version 1.48.0 and prior to version 1.73.5, the RC endpoint `operations/fsinfo` is exposed without `AuthRequired: true` and accepts attacker-controlled `fs` input. Because `rc.GetFs(...)` supports inline backend definitions, an unauthenticated attacker can instantiate an attacker-controlled backend on demand. For the WebDAV backend, `bearer_token_command` is executed during backend initialization, making single-request unauthenticated local command execution possible on reachable RC deployments without global HTTP authentication. Version 1.73.5 patches the issue.
Published: 2026-04-23
Score: 9.2 Critical
EPSS: 9.6% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Rclone, a popular command‑line tool for synchronizing files with cloud storage, has a critical flaw in its Remote Control (RC) interface. The operations/fsinfo endpoint is mistakenly exposed without authentication, allowing an attacker to submit a payload that specifies an arbitrary backend. The rc.GetFs function can create any backend on demand, and for the WebDAV backend the bearer_token_command is run during initialization. Consequently, a single unauthenticated request can trigger local command execution on the host that runs Rclone, exploiting weaknesses in improper access control (CWE‑306), OS command injection (CWE‑78), and unsafe code execution (CWE‑94). The vulnerability exists in Rclone versions 1.48.0 through 1.73.4, and is fixed in 1.73.5.

Affected Systems

Affected systems are installations of Rclone 1.48.0 up to, but not including, 1.73.5. The vulnerability is relevant to any deployment that exposes the RC endpoint without global HTTP authentication, whether running as a standalone binary or within a container or scripted environment. Attackers could reach a vulnerable instance over the network and issue the operations/fsinfo request with crafted backend parameters.

Risk and Exploitability

The CVSS score of 9.2 classifies this flaw as critical, and the EPSS score of 10% indicates it is likely to be attempted by adversaries. Because the endpoint accepts unauthenticated requests, the attack vector is remote network access; no credentials or privileged permissions are required. While the vulnerability is not currently listed in CISA’s KEV catalog, the combination of high severity and moderate exploitation potential warrants urgent attention.

Generated by OpenCVE AI on April 29, 2026 at 17:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Rclone to version 1.73.5 or later, which removes the unauthenticated operations/fsinfo endpoint.
  • If an upgrade is not immediately possible, disable the RC service by setting `AuthRequired: true` for the operations/fsinfo endpoint or by removing the RC interface entirely from the configuration.
  • Restrict network access to the RC port using firewall rules or a reverse proxy so that only trusted hosts can reach it, and ensure that backend definitions do not include executable commands such as bearer_token_command.

Generated by OpenCVE AI on April 29, 2026 at 17:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jfwf-28xr-xw6q RClone: Unauthenticated operations/fsinfo allows attacker-controlled backend instantiation and local command execution
History

Mon, 27 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Rclone
Rclone rclone
CPEs cpe:2.3:a:rclone:rclone:*:*:*:*:*:*:*:*
Vendors & Products Rclone
Rclone rclone

Mon, 27 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 24 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-94
References
Metrics threat_severity

None

 cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Thu, 23 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Description Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Starting in version 1.48.0 and prior to version 1.73.5, the RC endpoint `operations/fsinfo` is exposed without `AuthRequired: true` and accepts attacker-controlled `fs` input. Because `rc.GetFs(...)` supports inline backend definitions, an unauthenticated attacker can instantiate an attacker-controlled backend on demand. For the WebDAV backend, `bearer_token_command` is executed during backend initialization, making single-request unauthenticated local command execution possible on reachable RC deployments without global HTTP authentication. Version 1.73.5 patches the issue.
Title RClone: Unauthenticated operations/fsinfo allows attacker-controlled backend instantiation and local command execution
Weaknesses CWE-306
CWE-78
References
Metrics cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Rclone Rclone
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-28T03:55:17.599Z

Reserved: 2026-04-17T16:34:45.526Z

Link: CVE-2026-41179

cve-icon Vulnrichment

Updated: 2026-04-23T12:33:39.859Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-23T00:16:45.947

Modified: 2026-04-27T18:18:08.850

Link: CVE-2026-41179

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-23T00:03:36Z

Links: CVE-2026-41179 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T17:30:16Z

Weaknesses