CVE-2026-41176 – rclone
“One exposed setting can quietly remove every security check behind it.”
This patch addresses CVE-2026-41176 in rclone. The vulnerability affects versions 1.45.0 through 1.73.4 and stems from an authorization weakness in the RC endpoint options/set. The endpoint allows modification of global runtime configuration without requiring authentication. An unauthenticated attacker can disable RC authorization controls by setting rc.NoAuth=true, exposing administrative functionality that should normally be restricted.
CVE-2026-41176 has a CVSS score of 9.2, which is Critical severity. The vulnerability is classified as CWE-306, Missing Authentication for Critical Function. Successful exploitation can allow unauthorized access to sensitive configuration and operational management functions on affected RC servers. A public proof-of-concept (PoC) has been reported. Version 1.73.5 patches the issue.
Key Details
- Affected Product
- Rclone Rclone
- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- None
- User Interaction
- None
- CWE Classification
- CWE-306