Link following in rclone - CVE-2026-54572

 

Link following in rclone - CVE-2026-54572

Published: July 9, 2026


Vulnerability identifier: #VU137265
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-54572
CWE-ID: CWE-59
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: rclone.org
Affected software:
rclone

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper link resolution before file access in the local backend link handling in rclone when copying an attacker-controlled remote to a local destination with --links. A remote attacker can provide crafted .rclonelink objects and sibling files to achieve arbitrary file write outside the destination and execute arbitrary code.

User interaction is required to copy data from an untrusted remote while preserving symlinks.


How to mitigate CVE-2026-54572

Install security update from vendor's website.

Sources