Missing Authentication for Critical Function in rclone - CVE-2026-41176

CSH
CYBERSECURITY HELP
Sign In REGISTER
 
Main Vulnerability Database Vulnerabilities #VU126500

Missing Authentication for Critical Function in rclone - CVE-2026-41176

Published: April 20, 2026


Vulnerability identifier: #VU126500
CSH Severity: Critical
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Red
CVE-ID: CVE-2026-41176
CWE-ID: CWE-306
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: rclone.org
Affected software:
rclone

Detailed vulnerability description

The vulnerability allows a remote attacker to bypass authorization and access sensitive administrative functionality, potentially leading to command execution.

The vulnerability exists due to missing authentication for the options/set RC endpoint in the rclone remote control API when handling unauthenticated requests that modify runtime configuration. A remote attacker can send a specially crafted request to disable the authorization gate for protected RC methods to bypass authorization and access sensitive administrative functionality, potentially leading to command execution.

Exploitation requires the remote control API to be enabled, reachable by the attacker, and deployed without global RC HTTP authentication.


How to mitigate CVE-2026-41176

Install security update from vendor's website.

Sources