Description
Rclone is a command-line program to sync files and directories to and from different cloud storage providers. From 1.46.0 until 1.74.3, rclone rcd --rc-serve accepts unauthenticated GET and HEAD requests to paths of the form: /[remote:path]/object. The remote value is parsed from the URL and passed to normal backend initialization. Inline remote configuration can set backend options that execute local commands during initialization. As a result, a single unauthenticated GET or HEAD request can execute a command as the rclone process user. This vulnerability is fixed in 1.74.3.
Published: 2026-06-24
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability exists in the rclone command‑line utility, specifically within the rcd daemon when it is started with the --rc-serve flag. From release 1.46.0 up to 1.74.3, the daemon accepts unauthenticated HTTP GET or HEAD requests to paths like /[remote:path]/object. The remote part is parsed as an inline remote configuration and is passed directly to the backend initialization code. An attacker can embed backend options that execute local shell commands during this initialization, so a single unauthenticated HTTP request can trigger arbitrary command execution as the user running the rclone process.

Affected Systems

Affected systems are installations of the rclone tool with versions ranging from 1.46.0 to 1.74.3 inclusive. The vendor is rclone. Any deployment that runs the rcd service exposed to a network and does not restrict the backend configuration mechanism is vulnerable. The vulnerability is mitigated by the fix shipped in version 1.74.3.

Risk and Exploitability

The vulnerability carries a CVSS score of 9.8, indicating critical severity, and is not listed in the CISA KEV catalog. The EPSS score is 0.00495 (<1%), and combined with a high CVSS any authentication requirement, and the potential for local command execution results in a high risk of exploitation. The attack can be carried out by any entity that can reach the rcd service over its HTTP interface, which by default listens on port 5572 if not otherwise bound. Therefore, network attackers within the same host or external networks that can reach the service may trigger the flaw.

Generated by OpenCVE AI on June 26, 2026 at 01:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade rclone to version 1.74.3 or newer, which contains the fix for this issue.
  • Configure firewall or system settings to bind rcd to localhost or otherwise limit network exposure so that only trusted hosts can access the service.
  • If the service must remain accessible, consider disabling the --rc-serve flag or enabling authentication mechanisms to prevent unauthenticated command execution.

Generated by OpenCVE AI on June 26, 2026 at 01:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-qw24-gh76-8rvv Rclone: Unauthenticated command execution in `rclone rcd --rc-serve` via inline remote instantiation, bypassing CVE-2026-41179 fix
History

Fri, 26 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-78
References
Metrics threat_severity

None

threat_severity

Critical


Thu, 25 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
First Time appeared Rclone
Rclone rclone
Vendors & Products Rclone
Rclone rclone

Wed, 24 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Description Rclone is a command-line program to sync files and directories to and from different cloud storage providers. From 1.46.0 until 1.74.3, rclone rcd --rc-serve accepts unauthenticated GET and HEAD requests to paths of the form: /[remote:path]/object. The remote value is parsed from the URL and passed to normal backend initialization. Inline remote configuration can set backend options that execute local commands during initialization. As a result, a single unauthenticated GET or HEAD request can execute a command as the rclone process user. This vulnerability is fixed in 1.74.3.
Title Rclone: Unauthenticated command execution in `rclone rcd --rc-serve` via inline remote instantiation, bypassing CVE-2026-41179 fix
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-07-15T00:47:23.405Z

Reserved: 2026-06-02T18:30:51.282Z

Link: CVE-2026-49980

cve-icon Vulnrichment

Updated: 2026-07-13T12:05:21.402Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Critical

Publid Date: 2026-06-24T17:52:33Z

Links: CVE-2026-49980 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T02:00:17Z

Weaknesses
  • CWE-306

    Missing Authentication for Critical Function

  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')