rclone CVE-2026-41176
CRITICALSeverity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from Vendor (https://github.com/rclone/rclone).
CVSS VectorVendor: https://github.com/rclone/rclone
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
8DescriptionCVE.org
Summary
The RC endpoint options/set is exposed without AuthRequired: true, but it can mutate global runtime configuration, including the RC option block itself. An unauthenticated attacker can set rc.NoAuth=true, which disables the authorization gate for many RC methods registered with AuthRequired: true on reachable RC servers that are started without global HTTP authentication. This can lead to unauthorized access to sensitive administrative functionality, including configuration and operational RC methods.
Preconditions
Preconditions for this vulnerability are:
- The rclone remote control API must be enabled, either by the
--rcflag or by running therclone rcdserver - The remote control API must be reachable by the attacker - by default rclone only serves the rc to localhost unless the
--rc-addrflag is in use - The rc must have been deployed without global RC HTTP authentication - so not using
--rc-user/--rc-pass/--rc-htpasswd/etc
Details
The root cause is present from v1.45 onward. Some higher-impact exploitation paths became available in later releases as additional RC functionality was introduced.
The issue is caused by two properties of the RC implementation:
options/setis exposed withoutAuthRequired: true- the RC server enforces authorization for
AuthRequiredcalls using the mutable runtime values.opt.NoAuth
Relevant code paths:
fs/rc/config.go- registers
options/setwithoutAuthRequired: true rcOptionsSetreshapes attacker-controlled input into global option blocksfs/rc/rcserver/rcserver.go- request handling checks:
if !s.opt.NoAuth && call.AuthRequired && !s.server.UsingAuth()- once
rc.NoAuthis changed totrue, laterAuthRequiredmethods become callable without credentials
This creates a runtime auth-bypass primitive on the RC interface.
After setting rc.NoAuth=true, previously protected administrative methods become callable, including configuration and operational endpoints such as:
config/listremotesconfig/dumpconfig/getoperations/listoperations/copyfilecore/command
Relevant code for the second-stage command execution path:
fs/metadata.gometadataMapper()usesexec.Command(...)fs/operations/rc.gooperations/copyfileis normallyAuthRequired: true- once
rc.NoAuth=true, it becomes reachable without credentials
This was validating using the following:
- current
masteras of 2026-04-14:bf55d5e6d37fd86164a87782191f9e1ffcaafa82 - latest public release tested locally:
v1.73.4
The issue was also verified on a public amd64 Ubuntu host controlled by the tester, using direct host execution (not containerized PoC execution).
PoC
Minimal reproduction
Start a vulnerable server:
rclone rcd --rc-addr 127.0.0.1:5572No --rc-user, no --rc-pass, no --rc-htpasswd.
First confirm that a protected RC method is initially blocked:
curl -sS -X POST http://127.0.0.1:5572/config/listremotes \
-H 'Content-Type: application/json' \
--data '{}'Expected result: HTTP 403.
Use unauthenticated options/set to disable the auth gate:
curl -sS -X POST http://127.0.0.1:5572/options/set \
-H 'Content-Type: application/json' \
--data '{"rc":{"NoAuth":true}}'Expected result: HTTP 200 {}
Then call the same protected method again without credentials:
curl -sS -X POST http://127.0.0.1:5572/config/listremotes \
-H 'Content-Type: application/json' \
--data '{}'Expected result: HTTP 200 with a JSON response such as:
{"remotes":[]}Testing performed
This was successfully reproduced:
- on the tester's ocal test environment
- on a public amd64 Ubuntu host controlled by the tester
Using the public host, the following was confirmed:
- unauthenticated
options/setsuccessfully setrc.NoAuth=true - previously protected RC methods became callable without credentials
- the issue was reproducible through direct host execution
Impact
This is an authorization bypass on the RC administrative interface.
It can allow an unauthenticated network attacker, on a reachable RC deployment without global HTTP authentication, to disable the intended auth boundary for protected RC methods and gain access to sensitive configuration and operational functionality.
Depending on the enabled RC surface and runtime configuration, this can further enable higher-impact outcomes such as local file read, credential/config disclosure, filesystem enumeration, and command execution.
AnalysisAI
Authentication bypass in rclone's remote control (RC) API allows network attackers to disable authorization checks via unauthenticated configuration mutation, enabling full administrative access to RC endpoints. The options/set endpoint lacks authentication requirements and permits setting rc.NoAuth=true, which disables protection for all RC methods marked AuthRequired: true. Affects rclone v1.45 onward when RC is network-accessible without HTTP authentication. No CISA KEV listing or public exploit code identified at time of analysis, though GitHub security advisory provides detailed proof-of-concept reproduction steps. CVSS 9.2 reflects critical severity with network vector and no authentication required, though CVSS:4.0 AT:P (Attack Requirements: Present) indicates specific deployment prerequisites limit automatic exploitation.
Technical ContextAI
Rclone is a command-line program for managing cloud storage that includes an optional remote control (RC) HTTP API for administrative operations. The vulnerability stems from an inconsistent authorization model where the options/set endpoint (registered in fs/rc/config.go) lacks the AuthRequired: true flag, allowing unauthenticated callers to mutate global runtime configuration including the RC option block itself. The RC server's authorization enforcement in fs/rc/rcserver/rcserver.go checks if !s.opt.NoAuth && call.AuthRequired && !s.server.UsingAuth() using the mutable runtime value s.opt.NoAuth rather than immutable startup configuration. This creates a time-of-check-time-of-use (TOCTOU) vulnerability where an attacker can flip the authorization gate after server initialization. The root cause maps to CWE-306 (Missing Authentication for Critical Function) as the configuration mutation endpoint lacks authentication controls despite its security-critical nature. Affected product CPE: pkg:go/github.com/rclone/rclone from v1.45 onward, with additional high-impact exploitation paths introduced in later versions as RC functionality expanded.
RemediationAI
Consult the official GitHub security advisory at https://github.com/rclone/rclone/security/advisories/GHSA-25qr-6mpr-f7qx for vendor-confirmed patch version and upgrade immediately if running affected versions with network-exposed RC. Primary fix is upgrading to the patched rclone release identified in the advisory. If immediate patching is not feasible, implement these compensating controls with their respective trade-offs: (1) Enable global HTTP authentication using --rc-user and --rc-pass flags, which adds authentication overhead but provides defense-in-depth; (2) Restrict RC network binding to localhost only by removing --rc-addr or setting it to 127.0.0.1, which prevents remote administration capabilities; (3) Disable RC entirely by removing --rc flag or not running rclone rcd, which eliminates all remote control functionality including legitimate administrative workflows; (4) Deploy network-level access controls (firewall rules, VPN requirements) to limit RC endpoint reachability to trusted networks only, which adds infrastructure complexity and may conflict with cloud deployment models. Note that workarounds (2) and (3) eliminate the vulnerable attack surface but also disable intended RC functionality, requiring assessment of operational impact before implementation.
Same technique Authentication Bypass
View allVendor StatusVendor
SUSE
Severity: Critical| Product | Status |
|---|---|
| SUSE Package Hub 15 SP6 | Fixed |
| openSUSE Leap 15.6 | Fixed |
| openSUSE Leap 16.0 | Fixed |
| openSUSE Tumbleweed | Fixed |
| SUSE Package Hub 15 SP6 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-25qr-6mpr-f7qx