Path traversal in rclone - CVE-2026-59732
Published: July 9, 2026
rclone
Detailed vulnerability description
The vulnerability allows a remote attacker to overwrite objects outside the intended destination prefix.
The vulnerability exists due to path traversal in cmd/archive/extract/extract.go when extracting a crafted archive. A remote attacker can supply an archive containing ../ path components to overwrite objects outside the intended destination prefix.
User interaction is required to extract an attacker-controlled archive, and the issue affects S3-style object storage destinations where sibling objects in the same bucket/path scope may be created or overwritten.