#1134734 rclone: CVE-2026-41176

Package:
src:rclone
Source:
src:rclone
Submitter:
Salvatore Bonaccorso
Date:
2026-06-11 06:47:02 UTC
Severity:
normal
Tags:
#1134734#5
Date:
2026-04-23 20:23:47 UTC
From:
To:
Hi,

The following vulnerability was published for rclone.

CVE-2026-41176[0]:
| Rclone is a command-line program to sync files and directories to
| and from different cloud storage providers. The RC endpoint
| `options/set` is exposed without `AuthRequired: true`, but it can
| mutate global runtime configuration, including the RC option block
| itself. Starting in version 1.45.0 and prior to version 1.73.5, an
| unauthenticated attacker can set `rc.NoAuth=true`, which disables
| the authorization gate for many RC methods registered with
| `AuthRequired: true` on reachable RC servers that are started
| without global HTTP authentication. This can lead to unauthorized
| access to sensitive administrative functionality, including
| configuration and operational RC methods. Version 1.73.5 patches the
| issue.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-41176
https://www.cve.org/CVERecord?id=CVE-2026-41176
[1] https://github.com/rclone/rclone/security/advisories/GHSA-25qr-6mpr-f7qx

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore