SB2026042022 - Multiple vulnerabilities in rclone

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) OS Command Injection (CVE-ID: CVE-2026-41179)

The vulnerability allows a remote attacker to execute arbitrary commands.

The vulnerability exists due to improper neutralization of special elements used in an os command in the operations/fsinfo RC endpoint when processing attacker-controlled fs input that instantiates an inline WebDAV backend. A remote attacker can send a specially crafted request to execute arbitrary commands.

Exploitation requires the remote control API to be enabled, reachable by the attacker, and deployed without global RC HTTP authentication.

2) Missing Authentication for Critical Function (CVE-ID: CVE-2026-41176)

The vulnerability allows a remote attacker to bypass authorization and access sensitive administrative functionality, potentially leading to command execution.

The vulnerability exists due to missing authentication for the options/set RC endpoint in the rclone remote control API when handling unauthenticated requests that modify runtime configuration. A remote attacker can send a specially crafted request to disable the authorization gate for protected RC methods to bypass authorization and access sensitive administrative functionality, potentially leading to command execution.

Exploitation requires the remote control API to be enabled, reachable by the attacker, and deployed without global RC HTTP authentication.

Remediation

Install update from vendor's website.

References

• https://github.com/rclone/rclone/security/advisories/GHSA-jfwf-28xr-xw6q
• https://github.com/rclone/rclone/security/advisories/GHSA-25qr-6mpr-f7qx