Two Critical Unauthenticated RCE Vulnerabilities in Rclone, CVSS 9.2, Patch Immediately

Warning: Two critical unauthenticated code execution vulnerabilities in Rclone, Patch Immediately!

Image

Published : 24/04/2026

• Last update: 24/04/2026
• Affected software: → Rclone
• Type: Remote Code Execution
• CVE/CVSS → CVE-2026-41176: CVSS 9.2 (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N) → CVE-2026-41179: CVSS 9.2 (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N)

Sources

Advisory (CVE-2026-41176) - https://github.com/rclone/rclone/security/advisories/GHSA-25qr-6mpr-f7qx
Advisory (CVE-2026-41179) - https://github.com/rclone/rclone/security/advisories/GHSA-jfwf-28xr-xw6q >

Risks

Two critical vulnerabilities have been identified in Rclone. CVE-2026-41176 and CVE-2026-41179 are both unauthenticated code execution vulnerabilities. Either one can be exploited remotely.

Rclone is a command-line program to manage files on cloud storage. It is a popular tool that works with a majority of cloud providers. As more and more organisations rely on the cloud to store data, including sensitive data, vulnerabilities targeting cloud technology become increasingly attractive for threat actors.

As of this publication, there is no indication of active exploitation (cut-off date: 23 April 2026).

Description

CVE-2026-41176 is an authentication bypass vulnerability on the RC (Remote Control) administrative interface of Rclone versions prior to version 1.73.5. An unauthenticated attacker with network access to an Rclone RC server can bypass authentication controls and gain unauthorised access to sensitive administrative functionality, including configuration and operational RC methods.

This could allow attackers to manipulate configuration, access operational RC methods, read sensitive data, and potentially compromise the integrity and confidentiality of stored cloud data and configurations. Depending on the enabled RC surface and runtime configuration, this can lead to local file read, credential/config disclosure, filesystem enumeration, and command execution.

CVE-2026-41179 is a single-request unauthenticated command-execution vulnerability on reachable RC deployments without global HTTP authentication. It affects Rclone versions prior to version 1.73.5. An unauthenticated attacker with network access to an RC deployment can execute arbitrary local commands on the affected system without requiring any authentication or elevated privileges. This is accomplished through a single request by leveraging the WebDAV backend initialization process.

A successful attacker can obtain local file read, file write, or shell access, depending on the deployed environment. This could potentially lead to full system compromise, data theft, lateral movement, or denial of service.

Note for the following preconditions must be met for the exploitation of CVE-2026-41176 and CVE-2026-41179 to be successful:

• The rclone remote control API must be enabled, either by the --rc flag or by running the rclone rcd server.
• The remote control API must be reachable by the attacker - by default rclone only serves the rc to localhost unless the --rc-addr flag is in use.
• The rc must have been deployed without global RC HTTP authentication - so not using --rc-user/--rc-pass/--rc-htpasswd/etc.

Recommended Actions

Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.

The CCB also recommends enabling global HTTP authentication on RC servers and implementing network-level controls to restrict access to RC server endpoints and the RC service.

Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.

While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.

References

Feedly - https://feedly.com/cve/CVE-2026-41176
Feedly - https://feedly.com/cve/CVE-2026-41179