CVE-2026-41179

Name of the Vulnerable Software and Affected Versions Rclone versions 1.48.0 through 1.73.4

Description The RC endpoint "operations/fsinfo" is exposed without authentication and accepts attacker-controlled fs input. Since the rc.GetFs() function supports inline backend definitions, an unauthenticated attacker can instantiate a backend on demand. Specifically, for the WebDAV backend, the bearer token command is executed during initialization, allowing for single-request unauthenticated local command execution on reachable RC deployments that lack global HTTP authentication.

Recommendations Update to version 1.73.5. As a temporary workaround, restrict access to the "operations/fsinfo" endpoint or enable global RC HTTP authentication using --rc-user, --rc-pass, or --rc-htpasswd to prevent unauthenticated access.