Vulnerability-Lookup

CVE-2026-41176 (GCVE-0-2026-41176)

Vulnerability from cvelistv5 – Published: 2026-04-22 23:57 – Updated: 2026-04-23 14:36

Title

Rclone: Unauthenticated options/set allows runtime auth bypass, leading to sensitive operations and command execution

Summary

Rclone is a command-line program to sync files and directories to and from different cloud storage providers. The RC endpoint `options/set` is exposed without `AuthRequired: true`, but it can mutate global runtime configuration, including the RC option block itself. Starting in version 1.45.0 and prior to version 1.73.5, an unauthenticated attacker can set `rc.NoAuth=true`, which disables the authorization gate for many RC methods registered with `AuthRequired: true` on reachable RC servers that are started without global HTTP authentication. This can lead to unauthorized access to sensitive administrative functionality, including configuration and operational RC methods. Version 1.73.5 patches the issue.

Severity ?

9.2 (Critical)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE

CWE-306 - Missing Authentication for Critical Function

Assigner

GitHub_M

References

URL

Tags

	https://github.com/rclone/rclone/security/advisor…	x_refsource_CONFIRM
	https://github.com/rclone/rclone/blob/bf55d5e6d37…	x_refsource_MISC
	https://github.com/rclone/rclone/blob/bf55d5e6d37…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	rclone	rclone	Affected: >= 1.45.0, < 1.73.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-41176",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-23T14:36:39.313605Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-23T14:36:47.415Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/rclone/rclone/security/advisories/GHSA-25qr-6mpr-f7qx"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "rclone",
          "vendor": "rclone",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.45.0, \u003c 1.73.5"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Rclone is a command-line program to sync files and directories to and from different cloud storage providers. The RC endpoint `options/set` is exposed without `AuthRequired: true`, but it can mutate global runtime configuration, including the RC option block itself. Starting in version 1.45.0 and prior to version 1.73.5, an unauthenticated attacker can set `rc.NoAuth=true`, which disables the authorization gate for many RC methods registered with `AuthRequired: true` on reachable RC servers that are started without global HTTP authentication. This can lead to unauthorized access to sensitive administrative functionality, including configuration and operational RC methods. Version 1.73.5 patches the issue."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 9.2,
            "baseSeverity": "CRITICAL",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-306",
              "description": "CWE-306: Missing Authentication for Critical Function",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-22T23:57:54.075Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/rclone/rclone/security/advisories/GHSA-25qr-6mpr-f7qx",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/rclone/rclone/security/advisories/GHSA-25qr-6mpr-f7qx"
        },
        {
          "name": "https://github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/fs/rc/config.go",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/fs/rc/config.go"
        },
        {
          "name": "https://github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/fs/rc/rcserver/rcserver.go",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/fs/rc/rcserver/rcserver.go"
        }
      ],
      "source": {
        "advisory": "GHSA-25qr-6mpr-f7qx",
        "discovery": "UNKNOWN"
      },
      "title": "Rclone: Unauthenticated options/set allows runtime auth bypass, leading to sensitive operations and command execution"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-41176",
    "datePublished": "2026-04-22T23:57:54.075Z",
    "dateReserved": "2026-04-17T16:34:45.526Z",
    "dateUpdated": "2026-04-23T14:36:47.415Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-41176",
      "date": "2026-04-23",
      "epss": "0.00039",
      "percentile": "0.11869"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-41176\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-04-23T00:16:45.800\",\"lastModified\":\"2026-04-23T16:16:25.980\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Rclone is a command-line program to sync files and directories to and from different cloud storage providers. The RC endpoint `options/set` is exposed without `AuthRequired: true`, but it can mutate global runtime configuration, including the RC option block itself. Starting in version 1.45.0 and prior to version 1.73.5, an unauthenticated attacker can set `rc.NoAuth=true`, which disables the authorization gate for many RC methods registered with `AuthRequired: true` on reachable RC servers that are started without global HTTP authentication. This can lead to unauthorized access to sensitive administrative functionality, including configuration and operational RC methods. Version 1.73.5 patches the issue.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":9.2,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-306\"}]}],\"references\":[{\"url\":\"https://github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/fs/rc/config.go\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/fs/rc/rcserver/rcserver.go\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/rclone/rclone/security/advisories/GHSA-25qr-6mpr-f7qx\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/rclone/rclone/security/advisories/GHSA-25qr-6mpr-f7qx\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"Rclone: Unauthenticated options/set allows runtime auth bypass, leading to sensitive operations and command execution\", \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-306\", \"lang\": \"en\", \"description\": \"CWE-306: Missing Authentication for Critical Function\", \"type\": \"CWE\"}]}], \"metrics\": [{\"cvssV4_0\": {\"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnIntegrityImpact\": \"HIGH\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"baseScore\": 9.2, \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N\", \"version\": \"4.0\"}}], \"references\": [{\"name\": \"https://github.com/rclone/rclone/security/advisories/GHSA-25qr-6mpr-f7qx\", \"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://github.com/rclone/rclone/security/advisories/GHSA-25qr-6mpr-f7qx\"}, {\"name\": \"https://github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/fs/rc/config.go\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/fs/rc/config.go\"}, {\"name\": \"https://github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/fs/rc/rcserver/rcserver.go\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/fs/rc/rcserver/rcserver.go\"}], \"affected\": [{\"vendor\": \"rclone\", \"product\": \"rclone\", \"versions\": [{\"version\": \"\u003e= 1.45.0, \u003c 1.73.5\", \"status\": \"affected\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-04-22T23:57:54.075Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Rclone is a command-line program to sync files and directories to and from different cloud storage providers. The RC endpoint `options/set` is exposed without `AuthRequired: true`, but it can mutate global runtime configuration, including the RC option block itself. Starting in version 1.45.0 and prior to version 1.73.5, an unauthenticated attacker can set `rc.NoAuth=true`, which disables the authorization gate for many RC methods registered with `AuthRequired: true` on reachable RC servers that are started without global HTTP authentication. This can lead to unauthorized access to sensitive administrative functionality, including configuration and operational RC methods. Version 1.73.5 patches the issue.\"}], \"source\": {\"advisory\": \"GHSA-25qr-6mpr-f7qx\", \"discovery\": \"UNKNOWN\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-41176\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-23T14:36:39.313605Z\"}}}], \"references\": [{\"url\": \"https://github.com/rclone/rclone/security/advisories/GHSA-25qr-6mpr-f7qx\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-23T14:36:04.300Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-41176\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"GitHub_M\", \"dateReserved\": \"2026-04-17T16:34:45.526Z\", \"datePublished\": \"2026-04-22T23:57:54.075Z\", \"dateUpdated\": \"2026-04-23T14:36:47.415Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-25QR-6MPR-F7QX

Vulnerability from github – Published: 2026-04-22 14:44 – Updated: 2026-04-22 14:44

Summary

Rclone: Unauthenticated options/set allows runtime auth bypass, leading to sensitive operations and command execution

Details

Summary

The RC endpoint options/set is exposed without AuthRequired: true, but it can mutate global runtime configuration, including the RC option block itself. An unauthenticated attacker can set rc.NoAuth=true, which disables the authorization gate for many RC methods registered with AuthRequired: true on reachable RC servers that are started without global HTTP authentication. This can lead to unauthorized access to sensitive administrative functionality, including configuration and operational RC methods.

Preconditions

Preconditions for this vulnerability are:

The rclone remote control API must be enabled, either by the --rc flag or by running the rclone rcd server
The remote control API must be reachable by the attacker - by default rclone only serves the rc to localhost unless the --rc-addr flag is in use
The rc must have been deployed without global RC HTTP authentication - so not using --rc-user/--rc-pass/--rc-htpasswd/etc

Details

The root cause is present from v1.45 onward. Some higher-impact exploitation paths became available in later releases as additional RC functionality was introduced.

The issue is caused by two properties of the RC implementation:

options/set is exposed without AuthRequired: true
the RC server enforces authorization for AuthRequired calls using the mutable runtime value s.opt.NoAuth

Relevant code paths:

fs/rc/config.go
registers options/set without AuthRequired: true
rcOptionsSet reshapes attacker-controlled input into global option blocks
fs/rc/rcserver/rcserver.go
request handling checks:
- if !s.opt.NoAuth && call.AuthRequired && !s.server.UsingAuth()
once rc.NoAuth is changed to true, later AuthRequired methods become callable without credentials

This creates a runtime auth-bypass primitive on the RC interface.

After setting rc.NoAuth=true, previously protected administrative methods become callable, including configuration and operational endpoints such as:

config/listremotes
config/dump
config/get
operations/list
operations/copyfile
core/command

Relevant code for the second-stage command execution path:

fs/metadata.go
metadataMapper() uses exec.Command(...)
fs/operations/rc.go
operations/copyfile is normally AuthRequired: true
once rc.NoAuth=true, it becomes reachable without credentials

This was validating using the following: - current master as of 2026-04-14: bf55d5e6d37fd86164a87782191f9e1ffcaafa82 - latest public release tested locally: v1.73.4

The issue was also verified on a public amd64 Ubuntu host controlled by the tester, using direct host execution (not containerized PoC execution).

PoC

Minimal reproduction

Start a vulnerable server:

rclone rcd --rc-addr 127.0.0.1:5572

No --rc-user, no --rc-pass, no --rc-htpasswd.

First confirm that a protected RC method is initially blocked:

curl -sS -X POST http://127.0.0.1:5572/config/listremotes \
  -H 'Content-Type: application/json' \
  --data '{}'

Expected result: HTTP 403.

Use unauthenticated options/set to disable the auth gate:

curl -sS -X POST http://127.0.0.1:5572/options/set \
  -H 'Content-Type: application/json' \
  --data '{"rc":{"NoAuth":true}}'

Expected result: HTTP 200 {}

Then call the same protected method again without credentials:

curl -sS -X POST http://127.0.0.1:5572/config/listremotes \
  -H 'Content-Type: application/json' \
  --data '{}'

Expected result: HTTP 200 with a JSON response such as:

{"remotes":[]}

Testing performed

This was successfully reproduced: - on the tester's ocal test environment - on a public amd64 Ubuntu host controlled by the tester

Using the public host, the following was confirmed:

unauthenticated options/set successfully set rc.NoAuth=true
previously protected RC methods became callable without credentials
the issue was reproducible through direct host execution

Impact

This is an authorization bypass on the RC administrative interface.

It can allow an unauthenticated network attacker, on a reachable RC deployment without global HTTP authentication, to disable the intended auth boundary for protected RC methods and gain access to sensitive configuration and operational functionality.

Depending on the enabled RC surface and runtime configuration, this can further enable higher-impact outcomes such as local file read, credential/config disclosure, filesystem enumeration, and command execution.

Severity ?

9.2 (Critical)


                  
                    CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/rclone/rclone"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.45.0"
            },
            {
              "fixed": "1.73.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-41176"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-306"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-22T14:44:13Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "### Summary\nThe RC endpoint `options/set` is exposed without `AuthRequired: true`, but it can mutate global runtime configuration, including the RC option block itself. An unauthenticated attacker can set `rc.NoAuth=true`, which disables the authorization gate for many RC methods registered with `AuthRequired: true` on reachable RC servers that are started without global HTTP authentication. This can lead to unauthorized access to sensitive administrative functionality, including configuration and operational RC methods.\n\n### Preconditions\n\nPreconditions for this vulnerability are:\n\n- The rclone remote control API **must** be enabled, either by the `--rc` flag or by running the `rclone rcd` server\n- The remote control API **must** be reachable by the attacker - by default rclone only serves the rc to localhost unless the `--rc-addr` flag is in use\n- The rc must have been deployed **without** global RC HTTP authentication - so not using `--rc-user`/`--rc-pass`/`--rc-htpasswd`/etc\n\n### Details\nThe root cause is present from v1.45 onward. Some higher-impact exploitation paths became available in later releases as additional RC functionality was introduced.\n\nThe issue is caused by two properties of the RC implementation:\n\n1. `options/set` is exposed without `AuthRequired: true`\n2. the RC server enforces authorization for `AuthRequired` calls using the mutable runtime value `s.opt.NoAuth`\n\nRelevant code paths:\n\n- [`fs/rc/config.go`](https://github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/fs/rc/config.go)\n  - registers `options/set` without `AuthRequired: true`\n  - `rcOptionsSet` reshapes attacker-controlled input into global option blocks\n\n- [`fs/rc/rcserver/rcserver.go`](https://github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/fs/rc/rcserver/rcserver.go)\n  - request handling checks:\n    - `if !s.opt.NoAuth \u0026\u0026 call.AuthRequired \u0026\u0026 !s.server.UsingAuth()`\n  - once `rc.NoAuth` is changed to `true`, later `AuthRequired` methods become callable without credentials\n\nThis creates a runtime auth-bypass primitive on the RC interface.\n\nAfter setting `rc.NoAuth=true`, previously protected administrative methods become callable, including configuration and operational endpoints such as:\n\n- `config/listremotes`\n- `config/dump`\n- `config/get`\n- `operations/list`\n- `operations/copyfile`\n- `core/command`\n\nRelevant code for the second-stage command execution path:\n\n- [`fs/metadata.go`](https://github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/fs/metadata.go)\n  - `metadataMapper()` uses `exec.Command(...)`\n\n- [`fs/operations/rc.go`](https://github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/fs/operations/rc.go)\n  - `operations/copyfile` is normally `AuthRequired: true`\n  - once `rc.NoAuth=true`, it becomes reachable without credentials\n\nThis was validating using the following:\n- current `master` as of 2026-04-14: `bf55d5e6d37fd86164a87782191f9e1ffcaafa82`\n- latest public release tested locally: `v1.73.4`\n\nThe issue was also verified on a public amd64 Ubuntu host controlled by the tester, using direct host execution (not containerized PoC execution).\n\n### PoC\n#### Minimal reproduction\nStart a vulnerable server:\n\n```bash\nrclone rcd --rc-addr 127.0.0.1:5572\n```\n\nNo `--rc-user`, no `--rc-pass`, no `--rc-htpasswd`.\n\nFirst confirm that a protected RC method is initially blocked:\n\n```bash\ncurl -sS -X POST http://127.0.0.1:5572/config/listremotes \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  --data \u0027{}\u0027\n```\n\nExpected result: HTTP 403.\n\nUse unauthenticated `options/set` to disable the auth gate:\n\n```bash\ncurl -sS -X POST http://127.0.0.1:5572/options/set \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  --data \u0027{\"rc\":{\"NoAuth\":true}}\u0027\n```\n\nExpected result: HTTP 200 `{}`\n\nThen call the same protected method again without credentials:\n\n```bash\ncurl -sS -X POST http://127.0.0.1:5572/config/listremotes \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  --data \u0027{}\u0027\n```\n\nExpected result: HTTP 200 with a JSON response such as:\n\n```json\n{\"remotes\":[]}\n```\n\n#### Testing performed\nThis was successfully reproduced:\n- on the tester\u0027s ocal test environment\n- on a public amd64 Ubuntu host controlled by the tester\n\nUsing the public host, the following was confirmed:\n\n- unauthenticated `options/set` successfully set `rc.NoAuth=true`\n- previously protected RC methods became callable without credentials\n- the issue was reproducible through direct host execution\n\n### Impact\nThis is an authorization bypass on the RC administrative interface.\n\nIt can allow an unauthenticated network attacker, on a reachable RC deployment without global HTTP authentication, to disable the intended auth boundary for protected RC methods and gain access to sensitive configuration and operational functionality.\n\nDepending on the enabled RC surface and runtime configuration, this can further enable higher-impact outcomes such as local file read, credential/config disclosure, filesystem enumeration, and command execution.",
  "id": "GHSA-25qr-6mpr-f7qx",
  "modified": "2026-04-22T14:44:13Z",
  "published": "2026-04-22T14:44:13Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/rclone/rclone/security/advisories/GHSA-25qr-6mpr-f7qx"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rclone/rclone"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Rclone: Unauthenticated options/set allows runtime auth bypass, leading to sensitive operations and command execution"
}

FKIE_CVE-2026-41176

Vulnerability from fkie_nvd - Published: 2026-04-23 00:16 - Updated: 2026-04-23 16:16

Severity ?

9.2 (Critical) - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/fs/rc/config.go
	security-advisories@github.com	https://github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/fs/rc/rcserver/rcserver.go
	security-advisories@github.com	https://github.com/rclone/rclone/security/advisories/GHSA-25qr-6mpr-f7qx
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/rclone/rclone/security/advisories/GHSA-25qr-6mpr-f7qx

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Rclone is a command-line program to sync files and directories to and from different cloud storage providers. The RC endpoint `options/set` is exposed without `AuthRequired: true`, but it can mutate global runtime configuration, including the RC option block itself. Starting in version 1.45.0 and prior to version 1.73.5, an unauthenticated attacker can set `rc.NoAuth=true`, which disables the authorization gate for many RC methods registered with `AuthRequired: true` on reachable RC servers that are started without global HTTP authentication. This can lead to unauthorized access to sensitive administrative functionality, including configuration and operational RC methods. Version 1.73.5 patches the issue."
    }
  ],
  "id": "CVE-2026-41176",
  "lastModified": "2026-04-23T16:16:25.980",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "PRESENT",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 9.2,
          "baseSeverity": "CRITICAL",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "HIGH",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-04-23T00:16:45.800",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/fs/rc/config.go"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/fs/rc/rcserver/rcserver.go"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/rclone/rclone/security/advisories/GHSA-25qr-6mpr-f7qx"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "url": "https://github.com/rclone/rclone/security/advisories/GHSA-25qr-6mpr-f7qx"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Received",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-306"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

OPENSUSE-SU-2026:10584-1

Vulnerability from csaf_opensuse - Published: 2026-04-20 00:00 - Updated: 2026-04-20 00:00

Summary

rclone-1.73.5-1.1 on GA media

Severity

Moderate

Notes

Title of the patch: rclone-1.73.5-1.1 on GA media

Description of the patch: These are all security issues fixed in the rclone-1.73.5-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames: openSUSE-Tumbleweed-2026-10584

CVE-2026-41176

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-41179

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

References

URL

Category

	https://www.suse.com/support/security/rating/	external
	https://ftp.suse.com/pub/projects/security/csaf/o…	self
	https://www.suse.com/security/cve/CVE-2026-41176/	self
	https://www.suse.com/security/cve/CVE-2026-41179/	self
	https://www.suse.com/security/cve/CVE-2026-41176	external
	https://www.suse.com/security/cve/CVE-2026-41179	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "rclone-1.73.5-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the rclone-1.73.5-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2026-10584",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_10584-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-41176 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-41176/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-41179 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-41179/"
      }
    ],
    "title": "rclone-1.73.5-1.1 on GA media",
    "tracking": {
      "current_release_date": "2026-04-20T00:00:00Z",
      "generator": {
        "date": "2026-04-20T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2026:10584-1",
      "initial_release_date": "2026-04-20T00:00:00Z",
      "revision_history": [
        {
          "date": "2026-04-20T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "rclone-1.73.5-1.1.aarch64",
                "product": {
                  "name": "rclone-1.73.5-1.1.aarch64",
                  "product_id": "rclone-1.73.5-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "rclone-bash-completion-1.73.5-1.1.aarch64",
                "product": {
                  "name": "rclone-bash-completion-1.73.5-1.1.aarch64",
                  "product_id": "rclone-bash-completion-1.73.5-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "rclone-zsh-completion-1.73.5-1.1.aarch64",
                "product": {
                  "name": "rclone-zsh-completion-1.73.5-1.1.aarch64",
                  "product_id": "rclone-zsh-completion-1.73.5-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "rclone-1.73.5-1.1.ppc64le",
                "product": {
                  "name": "rclone-1.73.5-1.1.ppc64le",
                  "product_id": "rclone-1.73.5-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "rclone-bash-completion-1.73.5-1.1.ppc64le",
                "product": {
                  "name": "rclone-bash-completion-1.73.5-1.1.ppc64le",
                  "product_id": "rclone-bash-completion-1.73.5-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "rclone-zsh-completion-1.73.5-1.1.ppc64le",
                "product": {
                  "name": "rclone-zsh-completion-1.73.5-1.1.ppc64le",
                  "product_id": "rclone-zsh-completion-1.73.5-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "rclone-1.73.5-1.1.s390x",
                "product": {
                  "name": "rclone-1.73.5-1.1.s390x",
                  "product_id": "rclone-1.73.5-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "rclone-bash-completion-1.73.5-1.1.s390x",
                "product": {
                  "name": "rclone-bash-completion-1.73.5-1.1.s390x",
                  "product_id": "rclone-bash-completion-1.73.5-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "rclone-zsh-completion-1.73.5-1.1.s390x",
                "product": {
                  "name": "rclone-zsh-completion-1.73.5-1.1.s390x",
                  "product_id": "rclone-zsh-completion-1.73.5-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "rclone-1.73.5-1.1.x86_64",
                "product": {
                  "name": "rclone-1.73.5-1.1.x86_64",
                  "product_id": "rclone-1.73.5-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "rclone-bash-completion-1.73.5-1.1.x86_64",
                "product": {
                  "name": "rclone-bash-completion-1.73.5-1.1.x86_64",
                  "product_id": "rclone-bash-completion-1.73.5-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "rclone-zsh-completion-1.73.5-1.1.x86_64",
                "product": {
                  "name": "rclone-zsh-completion-1.73.5-1.1.x86_64",
                  "product_id": "rclone-zsh-completion-1.73.5-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rclone-1.73.5-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:rclone-1.73.5-1.1.aarch64"
        },
        "product_reference": "rclone-1.73.5-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rclone-1.73.5-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:rclone-1.73.5-1.1.ppc64le"
        },
        "product_reference": "rclone-1.73.5-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rclone-1.73.5-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:rclone-1.73.5-1.1.s390x"
        },
        "product_reference": "rclone-1.73.5-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rclone-1.73.5-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:rclone-1.73.5-1.1.x86_64"
        },
        "product_reference": "rclone-1.73.5-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rclone-bash-completion-1.73.5-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:rclone-bash-completion-1.73.5-1.1.aarch64"
        },
        "product_reference": "rclone-bash-completion-1.73.5-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rclone-bash-completion-1.73.5-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:rclone-bash-completion-1.73.5-1.1.ppc64le"
        },
        "product_reference": "rclone-bash-completion-1.73.5-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rclone-bash-completion-1.73.5-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:rclone-bash-completion-1.73.5-1.1.s390x"
        },
        "product_reference": "rclone-bash-completion-1.73.5-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rclone-bash-completion-1.73.5-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:rclone-bash-completion-1.73.5-1.1.x86_64"
        },
        "product_reference": "rclone-bash-completion-1.73.5-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rclone-zsh-completion-1.73.5-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:rclone-zsh-completion-1.73.5-1.1.aarch64"
        },
        "product_reference": "rclone-zsh-completion-1.73.5-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rclone-zsh-completion-1.73.5-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:rclone-zsh-completion-1.73.5-1.1.ppc64le"
        },
        "product_reference": "rclone-zsh-completion-1.73.5-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rclone-zsh-completion-1.73.5-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:rclone-zsh-completion-1.73.5-1.1.s390x"
        },
        "product_reference": "rclone-zsh-completion-1.73.5-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rclone-zsh-completion-1.73.5-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:rclone-zsh-completion-1.73.5-1.1.x86_64"
        },
        "product_reference": "rclone-zsh-completion-1.73.5-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-41176",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-41176"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "unknown",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:rclone-1.73.5-1.1.aarch64",
          "openSUSE Tumbleweed:rclone-1.73.5-1.1.ppc64le",
          "openSUSE Tumbleweed:rclone-1.73.5-1.1.s390x",
          "openSUSE Tumbleweed:rclone-1.73.5-1.1.x86_64",
          "openSUSE Tumbleweed:rclone-bash-completion-1.73.5-1.1.aarch64",
          "openSUSE Tumbleweed:rclone-bash-completion-1.73.5-1.1.ppc64le",
          "openSUSE Tumbleweed:rclone-bash-completion-1.73.5-1.1.s390x",
          "openSUSE Tumbleweed:rclone-bash-completion-1.73.5-1.1.x86_64",
          "openSUSE Tumbleweed:rclone-zsh-completion-1.73.5-1.1.aarch64",
          "openSUSE Tumbleweed:rclone-zsh-completion-1.73.5-1.1.ppc64le",
          "openSUSE Tumbleweed:rclone-zsh-completion-1.73.5-1.1.s390x",
          "openSUSE Tumbleweed:rclone-zsh-completion-1.73.5-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-41176",
          "url": "https://www.suse.com/security/cve/CVE-2026-41176"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:rclone-1.73.5-1.1.aarch64",
            "openSUSE Tumbleweed:rclone-1.73.5-1.1.ppc64le",
            "openSUSE Tumbleweed:rclone-1.73.5-1.1.s390x",
            "openSUSE Tumbleweed:rclone-1.73.5-1.1.x86_64",
            "openSUSE Tumbleweed:rclone-bash-completion-1.73.5-1.1.aarch64",
            "openSUSE Tumbleweed:rclone-bash-completion-1.73.5-1.1.ppc64le",
            "openSUSE Tumbleweed:rclone-bash-completion-1.73.5-1.1.s390x",
            "openSUSE Tumbleweed:rclone-bash-completion-1.73.5-1.1.x86_64",
            "openSUSE Tumbleweed:rclone-zsh-completion-1.73.5-1.1.aarch64",
            "openSUSE Tumbleweed:rclone-zsh-completion-1.73.5-1.1.ppc64le",
            "openSUSE Tumbleweed:rclone-zsh-completion-1.73.5-1.1.s390x",
            "openSUSE Tumbleweed:rclone-zsh-completion-1.73.5-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-04-20T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-41176"
    },
    {
      "cve": "CVE-2026-41179",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-41179"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "unknown",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:rclone-1.73.5-1.1.aarch64",
          "openSUSE Tumbleweed:rclone-1.73.5-1.1.ppc64le",
          "openSUSE Tumbleweed:rclone-1.73.5-1.1.s390x",
          "openSUSE Tumbleweed:rclone-1.73.5-1.1.x86_64",
          "openSUSE Tumbleweed:rclone-bash-completion-1.73.5-1.1.aarch64",
          "openSUSE Tumbleweed:rclone-bash-completion-1.73.5-1.1.ppc64le",
          "openSUSE Tumbleweed:rclone-bash-completion-1.73.5-1.1.s390x",
          "openSUSE Tumbleweed:rclone-bash-completion-1.73.5-1.1.x86_64",
          "openSUSE Tumbleweed:rclone-zsh-completion-1.73.5-1.1.aarch64",
          "openSUSE Tumbleweed:rclone-zsh-completion-1.73.5-1.1.ppc64le",
          "openSUSE Tumbleweed:rclone-zsh-completion-1.73.5-1.1.s390x",
          "openSUSE Tumbleweed:rclone-zsh-completion-1.73.5-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-41179",
          "url": "https://www.suse.com/security/cve/CVE-2026-41179"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:rclone-1.73.5-1.1.aarch64",
            "openSUSE Tumbleweed:rclone-1.73.5-1.1.ppc64le",
            "openSUSE Tumbleweed:rclone-1.73.5-1.1.s390x",
            "openSUSE Tumbleweed:rclone-1.73.5-1.1.x86_64",
            "openSUSE Tumbleweed:rclone-bash-completion-1.73.5-1.1.aarch64",
            "openSUSE Tumbleweed:rclone-bash-completion-1.73.5-1.1.ppc64le",
            "openSUSE Tumbleweed:rclone-bash-completion-1.73.5-1.1.s390x",
            "openSUSE Tumbleweed:rclone-bash-completion-1.73.5-1.1.x86_64",
            "openSUSE Tumbleweed:rclone-zsh-completion-1.73.5-1.1.aarch64",
            "openSUSE Tumbleweed:rclone-zsh-completion-1.73.5-1.1.ppc64le",
            "openSUSE Tumbleweed:rclone-zsh-completion-1.73.5-1.1.s390x",
            "openSUSE Tumbleweed:rclone-zsh-completion-1.73.5-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-04-20T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-41179"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-41176 (GCVE-0-2026-41176)

GHSA-25QR-6MPR-F7QX

Summary

Preconditions

Details

PoC

Minimal reproduction

Testing performed

Impact

FKIE_CVE-2026-41176

OPENSUSE-SU-2026:10584-1

Tags

Sightings

Nomenclature