CVE-2026-41176 – rclone

CVSS 9.8 CRITICAL Critical or Zero Day – Immediate Deployment

“One exposed setting can quietly remove every security check behind it.”

This patch addresses CVE-2026-41176 in rclone. The vulnerability affects versions 1.45.0 through 1.73.4 and stems from an authorization weakness in the RC endpoint options/set. The endpoint allows modification of global runtime configuration without requiring authentication. An unauthenticated attacker can disable RC authorization controls by setting rc.NoAuth=true, exposing administrative functionality that should normally be restricted.

CVE-2026-41176 has a CVSS score of 9.2, which is Critical severity. The vulnerability is classified as CWE-306, Missing Authentication for Critical Function. Successful exploitation can allow unauthorized access to sensitive configuration and operational management functions on affected RC servers. A public proof-of-concept (PoC) has been reported. Version 1.73.5 patches the issue.

Key Details

Affected Product
Rclone Rclone
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
CWE Classification
CWE-306
Patch this CVE on all your endpoints in under 5 minutes. First 200 endpoints are free forever, scale as needed.