Main Vulnerability Database Vulnerabilities #VU126499

OS Command Injection in rclone - CVE-2026-41179

Published: April 20, 2026

Vulnerability identifier: #VU126499

CSH Severity: Critical

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Red

CVE-ID: CVE-2026-41179

CWE-ID: CWE-78

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: rclone.org

Affected software:
rclone

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary commands.

The vulnerability exists due to improper neutralization of special elements used in an os command in the operations/fsinfo RC endpoint when processing attacker-controlled fs input that instantiates an inline WebDAV backend. A remote attacker can send a specially crafted request to execute arbitrary commands.

Exploitation requires the remote control API to be enabled, reachable by the attacker, and deployed without global RC HTTP authentication.

How to mitigate CVE-2026-41179

Install security update from vendor's website.

Sources

https://github.com/rclone/rclone/security/advisories/GHSA-jfwf-28xr-xw6q

OS Command Injection in rclone - CVE-2026-41179

Detailed vulnerability description

How to mitigate CVE-2026-41179

Sources

Please verify you're human