Skip to main content

rclone CVE-2026-41176

CRITICAL
Missing Authentication for Critical Function (CWE-306)
2026-04-22 https://github.com/rclone/rclone GHSA-25qr-6mpr-f7qx
9.2
CVSS 4.0 · Vendor: https://github.com/rclone/rclone
Share

Severity by source

Vendor (https://github.com/rclone/rclone) PRIMARY
9.2 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Red Hat
9.8 HIGH
qualitative

Primary rating from Vendor (https://github.com/rclone/rclone).

CVSS VectorVendor: https://github.com/rclone/rclone

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

8
PoC Detected
Apr 27, 2026 - 18:19 vuln.today
Public exploit code
Patch released
Apr 23, 2026 - 02:30 nvd
Patch available
Analysis Updated
Apr 23, 2026 - 00:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 00:22 vuln.today
cvss_changed
CVSS changed
Apr 23, 2026 - 00:22 NVD
9.2 (CRITICAL)
Analysis Generated
Apr 22, 2026 - 15:01 vuln.today
Analysis Generated
Apr 22, 2026 - 14:45 vuln.today
CVE Published
Apr 22, 2026 - 14:44 nvd
CRITICAL 9.2

DescriptionCVE.org

Summary

The RC endpoint options/set is exposed without AuthRequired: true, but it can mutate global runtime configuration, including the RC option block itself. An unauthenticated attacker can set rc.NoAuth=true, which disables the authorization gate for many RC methods registered with AuthRequired: true on reachable RC servers that are started without global HTTP authentication. This can lead to unauthorized access to sensitive administrative functionality, including configuration and operational RC methods.

Preconditions

Preconditions for this vulnerability are:

  • The rclone remote control API must be enabled, either by the --rc flag or by running the rclone rcd server
  • The remote control API must be reachable by the attacker - by default rclone only serves the rc to localhost unless the --rc-addr flag is in use
  • The rc must have been deployed without global RC HTTP authentication - so not using --rc-user/--rc-pass/--rc-htpasswd/etc

Details

The root cause is present from v1.45 onward. Some higher-impact exploitation paths became available in later releases as additional RC functionality was introduced.

The issue is caused by two properties of the RC implementation:

  1. options/set is exposed without AuthRequired: true
  2. the RC server enforces authorization for AuthRequired calls using the mutable runtime value s.opt.NoAuth

Relevant code paths:

  • fs/rc/config.go
  • registers options/set without AuthRequired: true
  • rcOptionsSet reshapes attacker-controlled input into global option blocks
  • fs/rc/rcserver/rcserver.go
  • request handling checks:
  • if !s.opt.NoAuth && call.AuthRequired && !s.server.UsingAuth()
  • once rc.NoAuth is changed to true, later AuthRequired methods become callable without credentials

This creates a runtime auth-bypass primitive on the RC interface.

After setting rc.NoAuth=true, previously protected administrative methods become callable, including configuration and operational endpoints such as:

  • config/listremotes
  • config/dump
  • config/get
  • operations/list
  • operations/copyfile
  • core/command

Relevant code for the second-stage command execution path:

  • fs/metadata.go
  • metadataMapper() uses exec.Command(...)
  • fs/operations/rc.go
  • operations/copyfile is normally AuthRequired: true
  • once rc.NoAuth=true, it becomes reachable without credentials

This was validating using the following:

  • current master as of 2026-04-14: bf55d5e6d37fd86164a87782191f9e1ffcaafa82
  • latest public release tested locally: v1.73.4

The issue was also verified on a public amd64 Ubuntu host controlled by the tester, using direct host execution (not containerized PoC execution).

PoC

Minimal reproduction

Start a vulnerable server:

bash
rclone rcd --rc-addr 127.0.0.1:5572

No --rc-user, no --rc-pass, no --rc-htpasswd.

First confirm that a protected RC method is initially blocked:

bash
curl -sS -X POST http://127.0.0.1:5572/config/listremotes \
  -H 'Content-Type: application/json' \
  --data '{}'

Expected result: HTTP 403.

Use unauthenticated options/set to disable the auth gate:

bash
curl -sS -X POST http://127.0.0.1:5572/options/set \
  -H 'Content-Type: application/json' \
  --data '{"rc":{"NoAuth":true}}'

Expected result: HTTP 200 {}

Then call the same protected method again without credentials:

bash
curl -sS -X POST http://127.0.0.1:5572/config/listremotes \
  -H 'Content-Type: application/json' \
  --data '{}'

Expected result: HTTP 200 with a JSON response such as:

json
{"remotes":[]}
Testing performed

This was successfully reproduced:

  • on the tester's ocal test environment
  • on a public amd64 Ubuntu host controlled by the tester

Using the public host, the following was confirmed:

  • unauthenticated options/set successfully set rc.NoAuth=true
  • previously protected RC methods became callable without credentials
  • the issue was reproducible through direct host execution

Impact

This is an authorization bypass on the RC administrative interface.

It can allow an unauthenticated network attacker, on a reachable RC deployment without global HTTP authentication, to disable the intended auth boundary for protected RC methods and gain access to sensitive configuration and operational functionality.

Depending on the enabled RC surface and runtime configuration, this can further enable higher-impact outcomes such as local file read, credential/config disclosure, filesystem enumeration, and command execution.

AnalysisAI

Authentication bypass in rclone's remote control (RC) API allows network attackers to disable authorization checks via unauthenticated configuration mutation, enabling full administrative access to RC endpoints. The options/set endpoint lacks authentication requirements and permits setting rc.NoAuth=true, which disables protection for all RC methods marked AuthRequired: true. Affects rclone v1.45 onward when RC is network-accessible without HTTP authentication. No CISA KEV listing or public exploit code identified at time of analysis, though GitHub security advisory provides detailed proof-of-concept reproduction steps. CVSS 9.2 reflects critical severity with network vector and no authentication required, though CVSS:4.0 AT:P (Attack Requirements: Present) indicates specific deployment prerequisites limit automatic exploitation.

Technical ContextAI

Rclone is a command-line program for managing cloud storage that includes an optional remote control (RC) HTTP API for administrative operations. The vulnerability stems from an inconsistent authorization model where the options/set endpoint (registered in fs/rc/config.go) lacks the AuthRequired: true flag, allowing unauthenticated callers to mutate global runtime configuration including the RC option block itself. The RC server's authorization enforcement in fs/rc/rcserver/rcserver.go checks if !s.opt.NoAuth && call.AuthRequired && !s.server.UsingAuth() using the mutable runtime value s.opt.NoAuth rather than immutable startup configuration. This creates a time-of-check-time-of-use (TOCTOU) vulnerability where an attacker can flip the authorization gate after server initialization. The root cause maps to CWE-306 (Missing Authentication for Critical Function) as the configuration mutation endpoint lacks authentication controls despite its security-critical nature. Affected product CPE: pkg:go/github.com/rclone/rclone from v1.45 onward, with additional high-impact exploitation paths introduced in later versions as RC functionality expanded.

RemediationAI

Consult the official GitHub security advisory at https://github.com/rclone/rclone/security/advisories/GHSA-25qr-6mpr-f7qx for vendor-confirmed patch version and upgrade immediately if running affected versions with network-exposed RC. Primary fix is upgrading to the patched rclone release identified in the advisory. If immediate patching is not feasible, implement these compensating controls with their respective trade-offs: (1) Enable global HTTP authentication using --rc-user and --rc-pass flags, which adds authentication overhead but provides defense-in-depth; (2) Restrict RC network binding to localhost only by removing --rc-addr or setting it to 127.0.0.1, which prevents remote administration capabilities; (3) Disable RC entirely by removing --rc flag or not running rclone rcd, which eliminates all remote control functionality including legitimate administrative workflows; (4) Deploy network-level access controls (firewall rules, VPN requirements) to limit RC endpoint reachability to trusted networks only, which adds infrastructure complexity and may conflict with cloud deployment models. Note that workarounds (2) and (3) eliminate the vulnerable attack surface but also disable intended RC functionality, requiring assessment of operational impact before implementation.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Package Hub 15 SP6 Fixed
openSUSE Leap 15.6 Fixed
openSUSE Leap 16.0 Fixed
openSUSE Tumbleweed Fixed
SUSE Package Hub 15 SP6 Fixed

Share

CVE-2026-41176 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy