CVE•Published 2026-04-23•Modified 2026-05-20•2 articles on news•6 live references•NVD data

CVE-2026-41179Rclone · Rclone

Vulnerability data via NVD (ingested)

CVSS v3.1

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS percentile

Exploit Prediction Scoring System · top 7% of all CVEs

Weaknesses (CWE)

CWE-78Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')CWE-306Missing Authentication for Critical Function

Description

Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Starting in version 1.48.0 and prior to version 1.73.5, the RC endpoint `operations/fsinfo` is exposed without `AuthRequired: true` and accepts attacker-controlled `fs` input. Because `rc.GetFs(...)` supports inline backend definitions, an unauthenticated attacker can instantiate an attacker-controlled backend on demand. For the WebDAV backend, `bearer_token_command` is executed during backend initialization, making single-request unauthenticated local command execution possible on reachable RC deployments without global HTTP authentication. Version 1.73.5 patches the issue.

Timeline

Published 2026-04-23

Modified 2026-05-20

External references

NVD MITRE Exploit-DB Sploitus trickest/cve VulnCheck

Search for exposed instances

Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common).

Shodan · vuln tag0 hosts

vuln:CVE-2026-41179

Hosts Shodan has explicitly fingerprinted as vulnerable.

Shodan · product

product:"Rclone Rclone"

All exposed Rclone Rclone instances — cross-reference with the CVE's affected-version range.

Shodan · banner/body mention

http.html:"Rclone"

HTTP body or banner mentions "Rclone" — catches deploys Shodan didn't identify as a product.

More intel sources (5)

Shodan report

vuln:CVE-2026-41179