Path traversal in rclone - #VU137260

 

Path traversal in rclone - #VU137260

Published: July 9, 2026


Vulnerability identifier: #VU137260
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: N/A
CWE-ID: CWE-22
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: rclone.org
Affected software:
rclone

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive information and modify files.

The vulnerability exists due to path traversal in the rclone serve s3 backend when handling S3 object requests containing dot-dot path segments in the object key. A remote attacker can send a specially crafted GET or PUT request to disclose sensitive information and modify files.

The issue is limited to files within the configured serve root, but it can escape the selected bucket namespace and access root-level files that are not intended to be exposed as S3 objects.


Remediation

Install security update from vendor's website.

Sources