#1140817 rclone: CVE-2026-49980

Package:
src:rclone
Source:
src:rclone
Submitter:
Salvatore Bonaccorso
Date:
2026-06-26 20:39:02 UTC
Severity:
normal
Tags:
#1140817#5
Date:
2026-06-26 20:37:55 UTC
From:
To:
Hi,

The following vulnerability was published for rclone.

CVE-2026-49980[0]:
| Rclone is a command-line program to sync files and directories to
| and from different cloud storage providers. From 1.46.0 until
| 1.74.3, rclone rcd --rc-serve accepts unauthenticated GET and HEAD
| requests to paths of the form: /[remote:path]/object. The remote
| value is parsed from the URL and passed to normal backend
| initialization. Inline remote configuration can set backend options
| that execute local commands during initialization. As a result, a
| single unauthenticated GET or HEAD request can execute a command as
| the rclone process user. This vulnerability is fixed in 1.74.3.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-49980
https://www.cve.org/CVERecord?id=CVE-2026-49980
[1] https://github.com/rclone/rclone/security/advisories/GHSA-qw24-gh76-8rvv

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore