Changeflow GovPing Data Privacy & Cybersecurity Rclone Vulnerabilities CVE-2026-41176 and CVE-2...
Urgent Notice Added Final

Rclone Vulnerabilities CVE-2026-41176 and CVE-2026-41179: PoC Exploits Released

Favicon for www.acn.gov.it Italy ACN News alt
Published
Detected
Email

Summary

The Italian National Cybersecurity Agency (ACN) and CSIRT-ITA published alert AL02/260427/CSIRT-ITA disclosing two critical vulnerabilities in Rclone (CVE-2026-41176 and CVE-2026-41179) affecting versions 1.45.0 through 1.73.4, both with CVSS v4.0 scores of 9.2. Proof-of-Concept (PoC) exploits are now publicly available for both vulnerabilities despite vendor patches already being released. The first vulnerability is a missing authentication flaw allowing remote unauthenticated attackers to disable RC API authorization controls via the rc.NoAuth parameter; the second is an OS command injection vulnerability in the operations/fsinfo endpoint exploiting the bearer_token_command option during backend initialization. Organizations using Rclone with the Remote Control API exposed to untrusted networks face immediate risk of configuration extraction and remote code execution.

Why this matters

Organizations with Rclone instances running the Remote Control API should treat these systems as critically exposed given the public PoC availability. The CVE-2026-41176 authentication bypass allows extraction of OAuth tokens and cloud secrets, while CVE-2026-41179 enables direct command execution on the host. Patching is the primary mitigation, but teams should also audit RC API configurations and rotate any credentials that may have been accessible through the vulnerable endpoints.

AI-drafted from the source document, validated against GovPing's analyst note standards . For the primary regulatory language, read the source document .
Published by ACN on acn.gov.it . Detected, standardized, and enriched by GovPing. Review our methodology and editorial standards .

About this source

GovPing monitors Italy ACN News alt for new data privacy & cybersecurity regulatory changes. Every update since tracking began is archived, classified, and available as free RSS or email alerts — 12 changes logged to date.

View original document View source feed page

What changed

ACN/Italian CSIRT published alert AL02/260427/CSIRT-ITA notifying that Proof-of-Concept exploits are publicly available for two critical Rclone vulnerabilities (CVE-2026-41176 and CVE-2026-41179) affecting versions 1.45.0 through 1.73.4. CVE-2026-41176 (CVSS 9.2) is a missing authentication vulnerability enabling remote unauthenticated attackers to disable RC API authorization via the rc.NoAuth parameter, potentially exposing OAuth tokens, API keys, and cloud secrets. CVE-2026-41179 (CVSS 9.2) is an OS command injection flaw in the operations/fsinfo endpoint where an attacker can declare a fake backend using the bearertokencommand option during initialization, resulting in arbitrary system command execution without credentials.

Organizations using Rclone with the Remote Control API (RC) exposed to untrusted networks should prioritize immediate patching to the latest vendor release. The availability of public PoC exploits significantly elevates real-world exploitation risk. Given the critical severity of both vulnerabilities, any Rclone instance with RC API exposure should be treated as compromised until patched and audited for unauthorized configuration changes.

What to do next

  1. Update Rclone to the latest version following vendor security bulletins

Archived snapshot

Apr 27, 2026

GovPing captured this document from the original source. If the source has since changed or been removed, this is the text as it existed at that time.

Rclone: disponibili PoC per lo sfruttamento delle CVE-2026-41176 e CVE-2026-41179

**
Alert**

AL02/260427/CSIRT-ITA

Condividi
- Facebook
- Twitter
- LinkedIn
- Whatsapp

Sintesi

Disponibili Proof of Concept (PoC) per lo sfruttamento delle vulnerabilità CVE-2026-41176 e CVE-2026-41179 - già sanate dal vendor - presenti nella Remote Control API (RC) di Rclone, noto tool open source per la gestione, sincronizzazione e copia di file remoti.

Tipologia

  • Authentication Bypass
  • Remote Code Execution

Descrizione e potenziali impatti

Disponibili Proof of Concept (PoC) per lo sfruttamento delle vulnerabilità CVE-2026-41176 e CVE-2026-41179 - già sanate dal vendor - presenti nella Remote Control API (RC) di Rclone.

Nel dettaglio, la prima vulnerabilità, identificata tramite la CVE-2026-41176 - di tipo “ Missing Authentication for Critical Function ” e con score CVSS v4.0 pari a 9.2 – è causata da una mancata applicazione dei controlli di autenticazione su una funzione altamente privilegiata: la vulnerabilità consentirebbe a un attaccante remoto non autenticato, in determinate condizioni, di disabilitare i controlli di autorizzazione sugli endpoint Remote Control API (RC) tramite l’invio di una richiesta HTTP opportunamente predisposta che imposta il parametro rc.NoAuth = true.

Avendo disabilitato i controlli, l’attaccante riesce ad ottenere accesso, in lettura e scrittura, ai file di configurazione, attraverso l’utilizzo delle API operative, e potrebbe, inoltre, estrarre token OAuth, chiavi API e segreti cloud, con conseguente compromissione dei servizi cloud collegati a Rclone.

La seconda vulnerabilità, identificata tramite la CVE-2026-41179 - di tipo “ OS Command Injection ” e con score CVSS v4.0 pari a 9.2 – è dovuta a una mancata protezione dell’endpoint operations/fsinfo: nel dettaglio, la vulnerabilità consentirebbe ad un attaccante remoto non autenticato di inviare una richiesta HTTP manipolata verso l’endpoint (qualora quest’ultimo sia esposto senza autenticazione o qualora l’attaccante riesca a sfruttare la CVE-2026-41176 per eludere l’autenticazione).

Sfruttando la funzionalità di Rclone che consente di definire backend direttamente nella richiesta, l’attaccante potrebbe quindi dichiarare un backend fittizio, che, durante l’inizializzazione, supporti l’opzione bearertokencommand, progettata per eseguire comandi di sistema.

A questo punto, poiché il comando non viene validato, Rclone esegue automaticamente il comando fornito dall’attaccante nel momento in cui tenta di inizializzare il backend, permettendo l’esecuzione remota di codice senza credenziali.

Prodotti e/o versioni affette

Rclone versioni dalla 1.45.0 fino alla 1.73.4 incluse

N.B. Si evidenzia che i prodotti elencati risultano vulnerabili nel caso in cui siano configurati come indicato nei relativi bollettini di sicurezza.

Azioni di mitigazione

In linea con le dichiarazioni del vendor, si raccomanda di aggiornare i prodotti vulnerabili seguendo le indicazioni dei bollettini di sicurezza riportati nella sezione In linea con le dichiarazioni del vendor, si raccomanda di aggiornare i prodotti vulnerabili seguendo le indicazioni dei bollettini di sicurezza riportati nella sezione Riferimenti.

CVE (2)

Cerca:
| CVE | POC | EXPLOITATION |
| --- | --- | --- |
| CVE-2026-41179 | Presente | - |
| CVE-2026-41176 | Presente | - |

Riferimenti (3)

  1. https://rclone.org/changelog/?diffydate=1776604831
  2. https://github.com/rclone/rclone/security/advisories/GHSA-25qr-6mpr-f7qx
  3. https://github.com/rclone/rclone/security/advisories/GHSA-jfwf-28xr-xw6q

Change log

Versione Note Data
1.0 Pubblicato il 27-04-2026 27/04/2026

Impatto sistemico

Critico (79.23)

Argomenti

Data pubblicazione

27/04/26 ore 14:08

Data Ultimo Aggiornamento

27/04/26 ore 14:08

Related changes

Favicon for www.acn.gov.it Italy ACN Publishes Critical Notepad++ CVE-2026-3008 Alert With Public PoC
Priority review Apr 27, 2026 Italy ACN News alt Data Privacy & Cybersecurity
Favicon for www.acn.gov.it Grafana Tempo High-Severity Vulnerability Fixed CVE-2026-21728
Priority review Apr 25, 2026 Italy ACN News alt Data Privacy & Cybersecurity
Favicon for www.acn.gov.it Ruby ERB Remote Code Execution Vulnerability CVE-2026-41316
Priority review Apr 23, 2026 Italy ACN News alt Data Privacy & Cybersecurity

Get daily alerts for Italy ACN News alt

Daily digest delivered to your inbox.

Free. Unsubscribe anytime.

Source

Favicon for www.acn.gov.it
Italy ACN News alt acn.gov.it/portale/feedrss/-/journal/rss/20119/723192
Data Privacy & Cybersecurity

About this page

What is GovPing?

Every important government, regulator, and court update from around the world. One place. Real-time. Free. Our mission

What's from the agency?

Source document text, dates, docket IDs, and authority are extracted directly from ACN.

What's AI-generated?

The summary, classification, recommended actions, deadlines, and penalty information are AI-generated from the original text and may contain errors. Always verify against the source document.

Last updated

Press inquiries →

Classification

Agency
ACN
Published
April 27th, 2026
Instrument
Notice
Branch
Executive
Source language
it
Legal weight
Non-binding
Stage
Final
Change scope
Substantive
Document ID
AL02/260427/CSIRT-ITA

Who this affects

Applies to
Technology companies Manufacturers
Industry sector
5112 Software & Technology
Activity scope
Vulnerability disclosure Security patching Remote code execution risk
Geographic scope
IT IT

Taxonomy

Primary area
Cybersecurity
Operational domain
IT Security
Compliance frameworks
NIST CSF
Topics
Data Privacy Software & Technology

Browse Categories

Agriculture & Food Safety 84 AI Regulation 1 Banking & Finance 507 Consumer Protection 142 Courts & Legal 630 Data Privacy & Cybersecurity 153 Defense & National Security 52 Education 63 Energy 135 Environment 170 Government & Legislation 529 Healthcare 1 Healthcare & Life Sciences 412 Immigration 11 Insurance 90 Labor & Employment 196 Pharma & Drug Safety 13 Professional Licensing 1 Real Estate & Housing 76 Securities & Markets 178 Tax 118 Telecom & Technology 57 Trade & Sanctions 167 Transportation 132

Get alerts for this source

We'll email you when Italy ACN News alt publishes new changes.

Free. Unsubscribe anytime.

You're subscribed!