Link following in rclone - CVE-2026-54572
Published: July 9, 2026
rclone
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to improper link resolution before file access in the local backend link handling in rclone when copying an attacker-controlled remote to a local destination with --links. A remote attacker can provide crafted .rclonelink objects and sibling files to achieve arbitrary file write outside the destination and execute arbitrary code.
User interaction is required to copy data from an untrusted remote while preserving symlinks.