CVE-2026-41179 PUBLISHED

RClone: Unauthenticated operations/fsinfo allows attacker-controlled backend instantiation and local command execution

Assigner: GitHub_M
Reserved: 17.04.2026 Published: 23.04.2026 Updated: 23.04.2026

Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Starting in version 1.48.0 and prior to version 1.73.5, the RC endpoint operations/fsinfo is exposed without AuthRequired: true and accepts attacker-controlled fs input. Because rc.GetFs(...) supports inline backend definitions, an unauthenticated attacker can instantiate an attacker-controlled backend on demand. For the WebDAV backend, bearer_token_command is executed during backend initialization, making single-request unauthenticated local command execution possible on reachable RC deployments without global HTTP authentication. Version 1.73.5 patches the issue.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 9.2

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	None
Attack Complexity	Low	Integrity	High	Integrity	None
Attack Requirements	Present	Availability	High	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	rclone
Product	rclone
Versions	Version >= 1.48.0, < 1.73.5 is affected

References

Problem Types

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE
CWE-306: Missing Authentication for Critical Function CWE