CVE-2026-59732 PUBLISHED

rclone archive extract allows S3 destination prefix escape via crafted archive paths

Assigner: GitHub_M
Reserved: 06.07.2026 Published: 14.07.2026 Updated: 14.07.2026

Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Prior to 1.74.4, rclone archive extract can write extracted files outside the user-selected destination prefix when extracting a crafted archive containing parent path components such as ../, allowing creation or overwrite of sibling objects in the same bucket or path scope. This issue is fixed in version 1.74.4.

Metrics

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:L
CVSS Score: 5

Product Status

Vendor rclone
Product rclone
Versions
  • Version < 1.74.4 is affected

References

Problem Types

  • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE