{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/rclone/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"id":"CVE-2026-41176"},{"id":"CVE-2026-41179"}],"_cs_exploited":true,"_cs_products":["Rclone"],"_cs_severities":["critical"],"_cs_tags":["vulnerability","rce","cloud"],"_cs_type":"threat","_cs_vendors":["Rclone"],"content_html":"\u003cp\u003eTwo critical unauthenticated remote code execution vulnerabilities, CVE-2026-41176 and CVE-2026-41179, have been discovered in Rclone versions prior to 1.73.5. Rclone is a command-line program used to manage files on cloud storage services. These vulnerabilities can be exploited if the Rclone remote control (RC) API is enabled without proper authentication (e.g., \u003ccode\u003e--rc-user/--rc-pass/--rc-htpasswd\u003c/code\u003e). An attacker with network access to a vulnerable Rclone instance can bypass authentication, execute arbitrary commands, and potentially gain full system compromise. As organizations increasingly rely on cloud storage, vulnerabilities in tools like Rclone can have significant impact by enabling data theft and lateral movement. The vulnerabilities were reported on April 24, 2026, with no known active exploitation as of April 23, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a target system running Rclone with the RC API enabled.\u003c/li\u003e\n\u003cli\u003eThe attacker verifies the RC API is exposed on a reachable network address (e.g., not only localhost) and is not protected by HTTP authentication.\u003c/li\u003e\n\u003cli\u003eFor CVE-2026-41179, the attacker sends a single crafted HTTP request to the RC endpoint, leveraging the WebDAV backend initialization process.\u003c/li\u003e\n\u003cli\u003eThis crafted request triggers the execution of arbitrary commands on the target system without authentication.\u003c/li\u003e\n\u003cli\u003eFor CVE-2026-41176, the attacker bypasses authentication controls to access sensitive administrative functionality.\u003c/li\u003e\n\u003cli\u003eThe attacker manipulates Rclone configuration or invokes operational RC methods to execute arbitrary commands.\u003c/li\u003e\n\u003cli\u003eThe attacker gains local file read/write access, potentially stealing sensitive data or uploading malicious payloads.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves full system compromise, enabling data theft, lateral movement within the network, or denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-41176 and CVE-2026-41179 can lead to full system compromise, data theft, lateral movement, or denial of service. Specifically, attackers can achieve local file read, file write, or shell access, depending on the environment. The impact includes potential exposure of sensitive cloud data and configurations, which could compromise the integrity and confidentiality of stored information. Given Rclone\u0026rsquo;s popularity among organizations managing cloud storage, a successful attack could affect a large number of victims across various sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Rclone to version 1.73.5 or later to patch CVE-2026-41176 and CVE-2026-41179 as recommended by the vendor.\u003c/li\u003e\n\u003cli\u003eEnable global HTTP authentication on RC servers using \u003ccode\u003e--rc-user\u003c/code\u003e, \u003ccode\u003e--rc-pass\u003c/code\u003e, or \u003ccode\u003e--rc-htpasswd\u003c/code\u003e to mitigate the unauthenticated access, as mentioned in the description of the vulnerabilities.\u003c/li\u003e\n\u003cli\u003eImplement network-level controls (e.g., firewall rules) to restrict access to RC server endpoints and the RC service, as suggested by CCB.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Rclone RC API Access Without Authentication\u0026rdquo; to identify potentially vulnerable Rclone instances within your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-25T12:00:00Z","date_published":"2026-04-25T12:00:00Z","id":"/briefs/2026-04-rclone-rce/","summary":"Rclone versions prior to 1.73.5 are vulnerable to two critical unauthenticated remote code execution vulnerabilities (CVE-2026-41176 and CVE-2026-41179) when the remote control API is enabled without authentication, potentially allowing attackers to execute arbitrary commands and compromise the system.","title":"Rclone Unauthenticated Remote Code Execution Vulnerabilities","url":"https://feed.craftedsignal.io/briefs/2026-04-rclone-rce/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["rclone"],"_cs_severities":["critical"],"_cs_tags":["rclone","auth-bypass","rc-api","CVE-2026-41176","command-execution"],"_cs_type":"advisory","_cs_vendors":["rclone"],"content_html":"\u003cp\u003eRclone, a command-line program to manage files on cloud storage, is vulnerable to an authentication bypass via its remote control (RC) API. The vulnerability, present from version 1.45 onwards, stems from the \u003ccode\u003eoptions/set\u003c/code\u003e endpoint being exposed without authentication requirements, while still being able to modify the global runtime configuration.  An unauthenticated attacker can exploit this vulnerability by setting the \u003ccode\u003erc.NoAuth\u003c/code\u003e parameter to \u003ccode\u003etrue\u003c/code\u003e, effectively disabling the authentication gate for numerous RC methods registered with \u003ccode\u003eAuthRequired: true\u003c/code\u003e. This allows unauthorized access to sensitive administrative functionality, including configuration settings and operational commands. The issue was validated against \u003ccode\u003ev1.73.4\u003c/code\u003e and the current \u003ccode\u003emaster\u003c/code\u003e branch as of April 14, 2026. This vulnerability is especially critical when the RC API is exposed without global HTTP authentication (i.e. \u003ccode\u003e--rc-user\u003c/code\u003e/\u003ccode\u003e--rc-pass\u003c/code\u003e are not set), as it allows complete control of the Rclone instance.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable Rclone instance with the RC API enabled (via \u003ccode\u003e--rc\u003c/code\u003e or \u003ccode\u003erclone rcd\u003c/code\u003e) that is reachable on the network. The attacker confirms that the RC API is not protected by global HTTP authentication (no \u003ccode\u003e--rc-user\u003c/code\u003e, \u003ccode\u003e--rc-pass\u003c/code\u003e, or \u003ccode\u003e--rc-htpasswd\u003c/code\u003e flags).\u003c/li\u003e\n\u003cli\u003eThe attacker sends an unauthenticated POST request to the \u003ccode\u003e/options/set\u003c/code\u003e endpoint with a JSON payload setting \u003ccode\u003erc.NoAuth\u003c/code\u003e to \u003ccode\u003etrue\u003c/code\u003e: \u003ccode\u003e{\u0026quot;rc\u0026quot;:{\u0026quot;NoAuth\u0026quot;:true}}\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe Rclone RC server processes the request and updates the runtime configuration, disabling the authentication requirement for subsequent RC calls.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the now-unprotected RC API to access sensitive configuration data using endpoints like \u003ccode\u003e/config/listremotes\u003c/code\u003e, \u003ccode\u003e/config/dump\u003c/code\u003e, or \u003ccode\u003e/config/get\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker can list the available filesystems and remote configurations.\u003c/li\u003e\n\u003cli\u003eThe attacker then uses operational endpoints such as \u003ccode\u003e/operations/list\u003c/code\u003e to list files and directories within a configured remote.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits the \u003ccode\u003e/operations/copyfile\u003c/code\u003e endpoint to copy files from one location to another, potentially exfiltrating sensitive data or overwriting critical files.\u003c/li\u003e\n\u003cli\u003eFinally, the attacker uses the \u003ccode\u003e/core/command\u003c/code\u003e endpoint to execute arbitrary commands on the host system, achieving complete system compromise. This endpoint utilizes the \u003ccode\u003eexec.Command(...)\u003c/code\u003e function, allowing arbitrary command execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an unauthenticated attacker to bypass intended access controls on the Rclone RC administrative interface. The impact ranges from sensitive configuration disclosure and filesystem enumeration to arbitrary command execution on the host system. This could lead to complete system compromise, data exfiltration, or denial of service.  The vulnerability affects Rclone instances from version 1.45 up to (but not including) 1.73.5. The severity is amplified when the RC API is exposed to a wider network without proper authentication measures.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Rclone to version 1.73.5 or later to patch CVE-2026-41176.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, ensure that the Rclone RC API is protected by global HTTP authentication using the \u003ccode\u003e--rc-user\u003c/code\u003e, \u003ccode\u003e--rc-pass\u003c/code\u003e, or \u003ccode\u003e--rc-htpasswd\u003c/code\u003e flags.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for POST requests to the \u003ccode\u003e/options/set\u003c/code\u003e endpoint without authentication, indicative of exploitation attempts. Deploy the provided Sigma rule to detect this activity.\u003c/li\u003e\n\u003cli\u003eReview Rclone RC API access logs for unauthorized access to sensitive endpoints such as \u003ccode\u003e/config/listremotes\u003c/code\u003e, \u003ccode\u003e/config/dump\u003c/code\u003e, \u003ccode\u003e/config/get\u003c/code\u003e, \u003ccode\u003e/operations/list\u003c/code\u003e, \u003ccode\u003e/operations/copyfile\u003c/code\u003e, and \u003ccode\u003e/core/command\u003c/code\u003e after the \u003ccode\u003e/options/set\u003c/code\u003e endpoint has been accessed.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-23T12:00:00Z","date_published":"2026-04-23T12:00:00Z","id":"/briefs/2026-04-rclone-auth-bypass/","summary":"Rclone is vulnerable to an unauthenticated options/set vulnerability that allows runtime authentication bypass, potentially leading to sensitive operations and command execution by setting `rc.NoAuth=true` on reachable RC servers started without global HTTP authentication.","title":"Rclone Unauthenticated options/set Allows Runtime Auth Bypass","url":"https://feed.craftedsignal.io/briefs/2026-04-rclone-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Rclone","version":"https://jsonfeed.org/version/1.1"}