CVE-2026-41176

Name of the Vulnerable Software and Affected Versions Rclone versions 1.45.0 through 1.73.4

Description An authorization bypass exists in the Remote Control (RC) interface of Rclone. The RC endpoint "options/set" is exposed without requiring authentication, allowing an unauthenticated attacker to modify the global runtime configuration. Specifically, an attacker can set the rc.NoAuth variable to true, which disables the authorization gate for numerous other RC methods that normally require authentication. This occurs on RC servers started without global HTTP authentication that are reachable over the network.

This flaw can lead to unauthorized access to sensitive administrative functionality, including configuration and operational methods such as "config/listremotes", "config/dump", "config/get", "operations/list", "operations/copyfile", and "core/command". In certain configurations, this may further enable local file reads, disclosure of credentials and configurations, filesystem enumeration, and remote command execution via the metadataMapper() function.

Recommendations Update to version 1.73.5. Restrict network access to the Remote Control interfaces. Avoid starting the RC server without global HTTP authentication (e.g., ensure the use of --rc-user, --rc-pass, or --rc-htpasswd).