#1134735 rclone: CVE-2026-41179

Package:
src:rclone
Source:
src:rclone
Submitter:
Salvatore Bonaccorso
Date:
2026-06-11 06:47:01 UTC
Severity:
normal
Tags:
#1134735#5
Date:
2026-04-23 20:24:29 UTC
From:
To:
Hi,

The following vulnerability was published for rclone.

CVE-2026-41179[0]:
| Rclone is a command-line program to sync files and directories to
| and from different cloud storage providers. Starting in version
| 1.48.0 and prior to version 1.73.5, the RC endpoint
| `operations/fsinfo` is exposed without `AuthRequired: true` and
| accepts attacker-controlled `fs` input. Because `rc.GetFs(...)`
| supports inline backend definitions, an unauthenticated attacker can
| instantiate an attacker-controlled backend on demand. For the WebDAV
| backend, `bearer_token_command` is executed during backend
| initialization, making single-request unauthenticated local command
| execution possible on reachable RC deployments without global HTTP
| authentication. Version 1.73.5 patches the issue.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-41179
https://www.cve.org/CVERecord?id=CVE-2026-41179
[1] https://github.com/rclone/rclone/security/advisories/GHSA-jfwf-28xr-xw6q

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore