CVE-2026-41179
Publication date 23 April 2026
Last updated 27 May 2026
Ubuntu priority
Description
Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Starting in version 1.48.0 and prior to version 1.73.5, the RC endpoint `operations/fsinfo` is exposed without `AuthRequired: true` and accepts attacker-controlled `fs` input. Because `rc.GetFs(...)` supports inline backend definitions, an unauthenticated attacker can instantiate an attacker-controlled backend on demand. For the WebDAV backend, `bearer_token_command` is executed during backend initialization, making single-request unauthenticated local command execution possible on reachable RC deployments without global HTTP authentication. Version 1.73.5 patches the issue.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| rclone | 26.04 LTS resolute |
Fixed 1.60.1+dfsg-4ubuntu3.1
|
| 25.10 questing |
Fixed 1.60.1+dfsg-4ubuntu2.1
|
|
| 24.04 LTS noble |
Fixed 1.60.1+dfsg-3ubuntu0.24.04.5
|
|
| 22.04 LTS jammy |
Not affected
|
|
| 20.04 LTS focal |
Not affected
|
|
| 18.04 LTS bionic |
Not affected
|
References
Related Ubuntu Security Notices (USN)
- USN-8299-1
- Rclone vulnerabilities
- 25 May 2026