Path traversal in rclone - #VU137260
Published: July 9, 2026
rclone
Detailed vulnerability description
The vulnerability allows a remote attacker to disclose sensitive information and modify files.
The vulnerability exists due to path traversal in the rclone serve s3 backend when handling S3 object requests containing dot-dot path segments in the object key. A remote attacker can send a specially crafted GET or PUT request to disclose sensitive information and modify files.
The issue is limited to files within the configured serve root, but it can escape the selected bucket namespace and access root-level files that are not intended to be exposed as S3 objects.