CVE

DEBIAN-CVE-2026-41176

Rclone is a command-line program to sync files and directories to and from different cloud storage providers.

CVE

DEBIAN-CVE-2026-41176

Rclone is a command-line program to sync files and directories to and from different cloud storage providers.

Rclone is a command-line program to sync files and directories to and from different cloud storage providers. The RC endpoint options/set is exposed without AuthRequired: true, but it can mutate global runtime configuration, including the RC option block itself. Starting in version 1.45.0 and prior to version 1.73.5, an unauthenticated attacker can set rc.NoAuth=true, which disables the authorization gate for many RC methods registered with AuthRequired: true on reachable RC servers that are started without global HTTP authentication. This can lead to unauthorized access to sensitive administrative functionality, including configuration and operational RC methods. Version 1.73.5 patches the issue.

Package Versions Affected

No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading

Detect compatible fix

Apply safe remediation

Fix with a single pull request

CVSS Version

3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Related Resources

No items found.

References

https://security-tracker.debian.org/tracker/CVE-2026-41176

Severity

9.8

CVSS Score

Basic Information

Ecosystem

Base CVSS

9.8

EPSS Probability

EPSS Percentile

Introduced Version

Fix Available

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.

Fix Without Upgrading

Get a Demo

Let's Patch It!

DEBIAN-CVE-2026-41176

DEBIAN-CVE-2026-41176

Package Versions Affected

Automatically patch vulnerabilities without upgrading

CVSS Version

Related Resources

References

Severity

9.8

Basic Information

Fix Critical Vulnerabilities Instantly