SB2026070935 - Multiple vulnerabilities in rclone
Published: July 9, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 6 vulnerabilities.
1) Path traversal (CVE-ID: N/A)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information and modify files.
The vulnerability exists due to path traversal in the rclone serve s3 backend when handling S3 object requests containing dot-dot path segments in the object key. A remote attacker can send a specially crafted GET or PUT request to disclose sensitive information and modify files.
The issue is limited to files within the configured serve root, but it can escape the selected bucket namespace and access root-level files that are not intended to be exposed as S3 objects.
2) Path traversal (CVE-ID: CVE-2026-59732)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to overwrite objects outside the intended destination prefix.
The vulnerability exists due to path traversal in cmd/archive/extract/extract.go when extracting a crafted archive. A remote attacker can supply an archive containing ../ path components to overwrite objects outside the intended destination prefix.
User interaction is required to extract an attacker-controlled archive, and the issue affects S3-style object storage destinations where sibling objects in the same bucket/path scope may be created or overwritten.
3) Path traversal (CVE-ID: CVE-2026-59733)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to read, overwrite, and delete other users' repositories.
The vulnerability exists due to path traversal in the rclone serve restic private repository path handling when processing crafted URL paths containing ".." segments. A remote user can send a specially crafted HTTP request to read, overwrite, and delete other users' repositories.
Exploitation requires valid HTTP Basic credentials for the attacker's own private repository, the server must be running with serve restic --private-repos, and impact depends on a backend that resolves object paths with POSIX-style path cleaning semantics.
4) Cleartext transmission of sensitive information (CVE-ID: N/A)
CWE-ID: CWE-319 - Cleartext Transmission of Sensitive Information
CVSSv4: CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to cleartext transmission of sensitive information in the S3 backend redirect handling logic when following a same-host redirect from https to http. A remote attacker can cause a crafted redirect response to expose the AWS STS session token in cleartext to disclose sensitive information.
Exploitation requires use of temporary credentials that include an STS session token and a redirect that changes the scheme without changing the host and port.
5) Incorrect permission assignment for critical resource (CVE-ID: N/A)
CWE-ID: CWE-732 - Incorrect Permission Assignment for Critical Resource
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to escalate privileges.
The vulnerability exists due to incorrect permission assignment for critical resource in the local backend metadata handling when processing metadata-preserving copies from an untrusted or compromised remote. A remote attacker can supply a crafted file with attacker-controlled mode, uid, and gid metadata to escalate privileges.
User interaction is required to run a metadata-preserving copy or restore with -M. If the operation is run as root, the planted binary can become root-owned and setuid; otherwise it can yield the privileges of the service account running rclone.
6) Link following (CVE-ID: CVE-2026-54572)
CWE-ID: CWE-59 - Improper Link Resolution Before File Access ('Link Following')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to improper link resolution before file access in the local backend link handling in rclone when copying an attacker-controlled remote to a local destination with --links. A remote attacker can provide crafted .rclonelink objects and sibling files to achieve arbitrary file write outside the destination and execute arbitrary code.
User interaction is required to copy data from an untrusted remote while preserving symlinks.
Remediation
Install update from vendor's website.
References
- https://github.com/rclone/rclone/security/advisories/GHSA-8v25-v8p6-qf7v
- https://github.com/rclone/rclone/security/advisories/GHSA-4vr5-p2gc-h23p
- https://github.com/rclone/rclone/security/advisories/GHSA-fqj9-69pf-6pjg
- https://github.com/rclone/rclone/security/advisories/GHSA-gx4c-2hqx-cw2r
- https://github.com/rclone/rclone/commit/e7b1eb774
- https://github.com/rclone/rclone/security/advisories/GHSA-945v-v9p3-v5xw
- https://github.com/rclone/rclone/security/advisories/GHSA-cf44-9pgv-m4xc