rclone Versions Below 1.73.5 Critical Security Vulnerabilities
Summary
CERT-Bund issued security advisory WID-SEC-2026-1179 warning of critical vulnerabilities in rclone versions below 1.73.5. The flaws carry a CVSS Base Score of 9.8 (critical) and a CVSS Temporal Score of 8.8 (high), with remote attack capability confirmed. An attacker can exploit these vulnerabilities to bypass security measures and execute arbitrary code on affected systems.
“Ein Angreifer kann mehrere Schwachstellen in rclone ausnutzen, um Sicherheitsvorkehrungen zu umgehen und beliebigen Programmcode auszuführen.”
Organisations running rclone in any configuration should verify their installed version against the 1.73.5 threshold immediately. Cloud storage sync workflows frequently run with elevated filesystem permissions, making arbitrary code execution particularly severe. Even deployments behind network controls should patch, as the CVSS 9.8 score indicates exploitability from adjacent networks or limited-access contexts.
What changed
CERT-Bund published a security advisory reporting critical vulnerabilities in rclone, an open-source command-line file synchronization tool for cloud storage services. Multiple flaws allow an attacker to bypass security mechanisms and execute arbitrary code, with a CVSS Base Score of 9.8 and a CVSS Temporal Score of 8.8. The affected version is Open Source rclone prior to 1.73.5, covering Linux, UNIX, Windows, and other operating systems.
Organisations using rclone for cloud storage synchronization should prioritise updating to version 1.73.5 or later. Given the critical severity and confirmed remote attack vector, any deployment with network-accessible rclone instances faces elevated risk. While the advisory indicates mitigation is available, no specific compensating controls are detailed beyond the version update.
Archived snapshot
Apr 20, 2026GovPing captured this document from the original source. If the source has since changed or been removed, this is the text as it existed at that time.
[WID-SEC-2026-1179] rclone: Mehrere Schwachstellen CVSS Base Score 9.8 (kritisch) CVSS Temporal Score 8.8 (hoch) Remoteangriff ja Datum 19.04.2026 Stand 20.04.2026 Mitigation ja
Betroffene Systeme
Betriebssystem
- Linux
- Sonstiges
- UNIX
- Windows
Produktbeschreibung
Rclone ist ein Open-Source-Befehlszeilenprogramm zur Synchronisierung von Dateien und Verzeichnissen mit verschiedenen Cloud-Speicherdiensten.
Produkte
19.04.2026
- Open Source rclone <1.73.5
Angriff
Angriff
Ein Angreifer kann mehrere Schwachstellen in rclone ausnutzen, um Sicherheitsvorkehrungen zu umgehen und beliebigen Programmcode auszuführen. CVE Informationen Versionshistorie Feedback zum Advisory geben
Related changes
Get daily alerts for CERT-Bund Security Advisories
Daily digest delivered to your inbox.
Free. Unsubscribe anytime.
Source
About this page
Every important government, regulator, and court update from around the world. One place. Real-time. Free. Our mission
Source document text, dates, docket IDs, and authority are extracted directly from CERT-Bund.
The summary, classification, recommended actions, deadlines, and penalty information are AI-generated from the original text and may contain errors. Always verify against the source document.
Classification
Who this affects
Taxonomy
Browse Categories
Get alerts for this source
We'll email you when CERT-Bund Security Advisories publishes new changes.
Subscribed!
Optional. Filters your digest to exactly the updates that matter to you.