Skip to main content

Rclone CVE-2026-59732

| EUVDEUVD-2026-44530 MEDIUM
Path Traversal (CWE-22)
2026-07-14 security-advisories@github.com
5.0
CVSS 3.1 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
5.0 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:L

Primary rating from Vendor (github) · only source for this CVE.

CVSS VectorVendor: github

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:L
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Patch available
Jul 14, 2026 - 23:20 EUVD

DescriptionCVE.org

Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Prior to 1.74.4, rclone archive extract can write extracted files outside the user-selected destination prefix when extracting a crafted archive containing parent path components such as ../, allowing creation or overwrite of sibling objects in the same bucket or path scope. This issue is fixed in version 1.74.4.

Analysis

Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Prior to 1.74.4, rclone archive extract can write extracted files outside the user-selected destination prefix when extracting a crafted archive containing parent path components such as ../, allowing creation or overwrite of sibling objects in the same bucket or path scope. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-59732 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy