Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-puyv-es86-uua3
Vulnerability ID VCID-puyv-es86-uua3
Aliases CVE-2026-41176
GHSA-25qr-6mpr-f7qx
Summary Rclone: Unauthenticated options/set allows runtime auth bypass, leading to sensitive operations and command execution ### Summary The RC endpoint `options/set` is exposed without `AuthRequired: true`, but it can mutate global runtime configuration, including the RC option block itself. An unauthenticated attacker can set `rc.NoAuth=true`, which disables the authorization gate for many RC methods registered with `AuthRequired: true` on reachable RC servers that are started without global HTTP authentication. This can lead to unauthorized access to sensitive administrative functionality, including configuration and operational RC methods. ### Preconditions Preconditions for this vulnerability are: - The rclone remote control API **must** be enabled, either by the `--rc` flag or by running the `rclone rcd` server - The remote control API **must** be reachable by the attacker - by default rclone only serves the rc to localhost unless the `--rc-addr` flag is in use - The rc must have been deployed **without** global RC HTTP authentication - so not using `--rc-user`/`--rc-pass`/`--rc-htpasswd`/etc ### Details The root cause is present from v1.45 onward. Some higher-impact exploitation paths became available in later releases as additional RC functionality was introduced. The issue is caused by two properties of the RC implementation: 1. `options/set` is exposed without `AuthRequired: true` 2. the RC server enforces authorization for `AuthRequired` calls using the mutable runtime value `s.opt.NoAuth` Relevant code paths: - [`fs/rc/config.go`](https://github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/fs/rc/config.go) - registers `options/set` without `AuthRequired: true` - `rcOptionsSet` reshapes attacker-controlled input into global option blocks - [`fs/rc/rcserver/rcserver.go`](https://github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/fs/rc/rcserver/rcserver.go) - request handling checks: - `if !s.opt.NoAuth && call.AuthRequired && !s.server.UsingAuth()` - once `rc.NoAuth` is changed to `true`, later `AuthRequired` methods become callable without credentials This creates a runtime auth-bypass primitive on the RC interface. After setting `rc.NoAuth=true`, previously protected administrative methods become callable, including configuration and operational endpoints such as: - `config/listremotes` - `config/dump` - `config/get` - `operations/list` - `operations/copyfile` - `core/command` Relevant code for the second-stage command execution path: - [`fs/metadata.go`](https://github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/fs/metadata.go) - `metadataMapper()` uses `exec.Command(...)` - [`fs/operations/rc.go`](https://github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/fs/operations/rc.go) - `operations/copyfile` is normally `AuthRequired: true` - once `rc.NoAuth=true`, it becomes reachable without credentials This was validating using the following: - current `master` as of 2026-04-14: `bf55d5e6d37fd86164a87782191f9e1ffcaafa82` - latest public release tested locally: `v1.73.4` The issue was also verified on a public amd64 Ubuntu host controlled by the tester, using direct host execution (not containerized PoC execution). ### PoC #### Minimal reproduction Start a vulnerable server: ```bash rclone rcd --rc-addr 127.0.0.1:5572 ``` No `--rc-user`, no `--rc-pass`, no `--rc-htpasswd`. First confirm that a protected RC method is initially blocked: ```bash curl -sS -X POST http://127.0.0.1:5572/config/listremotes \ -H 'Content-Type: application/json' \ --data '{}' ``` Expected result: HTTP 403. Use unauthenticated `options/set` to disable the auth gate: ```bash curl -sS -X POST http://127.0.0.1:5572/options/set \ -H 'Content-Type: application/json' \ --data '{"rc":{"NoAuth":true}}' ``` Expected result: HTTP 200 `{}` Then call the same protected method again without credentials: ```bash curl -sS -X POST http://127.0.0.1:5572/config/listremotes \ -H 'Content-Type: application/json' \ --data '{}' ``` Expected result: HTTP 200 with a JSON response such as: ```json {"remotes":[]} ``` #### Testing performed This was successfully reproduced: - on the tester's ocal test environment - on a public amd64 Ubuntu host controlled by the tester Using the public host, the following was confirmed: - unauthenticated `options/set` successfully set `rc.NoAuth=true` - previously protected RC methods became callable without credentials - the issue was reproducible through direct host execution ### Impact This is an authorization bypass on the RC administrative interface. It can allow an unauthenticated network attacker, on a reachable RC deployment without global HTTP authentication, to disable the intended auth boundary for protected RC methods and gain access to sensitive configuration and operational functionality. Depending on the enabled RC surface and runtime configuration, this can further enable higher-impact outcomes such as local file read, credential/config disclosure, filesystem enumeration, and command execution.
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (2)
CWE-306 Missing Authentication for Critical Function
CWE-15 External Control of System or Configuration Setting
System Score Found at
cvssv3 9.8 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-41176.json
epss 0.02794 https://api.first.org/data/v1/epss?cve=CVE-2026-41176
epss 0.02794 https://api.first.org/data/v1/epss?cve=CVE-2026-41176
epss 0.063 https://api.first.org/data/v1/epss?cve=CVE-2026-41176
epss 0.063 https://api.first.org/data/v1/epss?cve=CVE-2026-41176
epss 0.063 https://api.first.org/data/v1/epss?cve=CVE-2026-41176
cvssv3.1 9.8 https://github.com/rclone/rclone
cvssv4 9.2 https://github.com/rclone/rclone
generic_textual CRITICAL https://github.com/rclone/rclone
cvssv3.1 9.8 https://github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/fs/rc/config.go
cvssv4 9.2 https://github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/fs/rc/config.go
generic_textual CRITICAL https://github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/fs/rc/config.go
ssvc Track* https://github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/fs/rc/config.go
cvssv3.1 9.8 https://github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/fs/rc/rcserver/rcserver.go
cvssv4 9.2 https://github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/fs/rc/rcserver/rcserver.go
generic_textual CRITICAL https://github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/fs/rc/rcserver/rcserver.go
ssvc Track* https://github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/fs/rc/rcserver/rcserver.go
cvssv3.1 9.8 https://github.com/rclone/rclone/security/advisories/GHSA-25qr-6mpr-f7qx
cvssv4 9.2 https://github.com/rclone/rclone/security/advisories/GHSA-25qr-6mpr-f7qx
generic_textual CRITICAL https://github.com/rclone/rclone/security/advisories/GHSA-25qr-6mpr-f7qx
ssvc Track* https://github.com/rclone/rclone/security/advisories/GHSA-25qr-6mpr-f7qx
cvssv3.1 9.8 https://nvd.nist.gov/vuln/detail/CVE-2026-41176
cvssv4 9.2 https://nvd.nist.gov/vuln/detail/CVE-2026-41176
generic_textual CRITICAL https://nvd.nist.gov/vuln/detail/CVE-2026-41176
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-41176.json
https://api.first.org/data/v1/epss?cve=CVE-2026-41176
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-41176
https://github.com/rclone/rclone
https://github.com/rclone/rclone/security/advisories/GHSA-25qr-6mpr-f7qx
https://nvd.nist.gov/vuln/detail/CVE-2026-41176
1134734 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134734
2460989 https://bugzilla.redhat.com/show_bug.cgi?id=2460989
config.go https://github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/fs/rc/config.go
rcserver.go https://github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/fs/rc/rcserver/rcserver.go
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-41176.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/rclone/rclone
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Found at https://github.com/rclone/rclone
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/fs/rc/config.go
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Found at https://github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/fs/rc/config.go
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-04-23T14:36:39Z/ Found at https://github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/fs/rc/config.go
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/fs/rc/rcserver/rcserver.go
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Found at https://github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/fs/rc/rcserver/rcserver.go
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-04-23T14:36:39Z/ Found at https://github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/fs/rc/rcserver/rcserver.go
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/rclone/rclone/security/advisories/GHSA-25qr-6mpr-f7qx
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Found at https://github.com/rclone/rclone/security/advisories/GHSA-25qr-6mpr-f7qx
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-04-23T14:36:39Z/ Found at https://github.com/rclone/rclone/security/advisories/GHSA-25qr-6mpr-f7qx
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2026-41176
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-41176
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.86129
EPSS Score 0.02794
Published At April 24, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-23T09:16:00.286431+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-25qr-6mpr-f7qx/GHSA-25qr-6mpr-f7qx.json 38.4.0