External risk intelligence

Rclone allows attackers to take control of systems by tricking them into running commands.

CVE advisorySeverity: CRITICAL (CVSS 9.2)

CVE-2026-41179

An external attacker can manipulate the Rclone tool to run unauthorized commands on the host server. This could allow the attacker to take full control of the system, putting your data and business operations at risk.

2Halo Surface Signal

OS Command Injection

Rclone

1.48.0 to before 1.73.5

External exposure likelihood

Halo Surface Signal score for CVE-2026-41179

Rclone is primarily a command-line utility. The vulnerable remote control (RC) interface is an optional feature that must be explicitly enabled. Because this interface is not enabled by default and is typically used for local or internal file synchronization tasks, public internet exposure is uncommon and generally occurs only due to specific, non-standard configuration choices.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability allows an unauthenticated attacker to execute arbitrary commands on systems running the Rclone command-line program. The issue stems from an exposed remote control endpoint that does not require authentication and accepts user-controlled input, enabling the instantiation of attacker-defined storage backends. This could lead to serious compromise if the Rclone remote control is accessible.

  • Attacker can run commands on the server.
  • Affects Rclone deployments with remote control enabled.
  • Requires the remote control interface to be reachable.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can exploit this flaw by sending a specially crafted request to the Rclone RC endpoint. This request would trick Rclone into initializing an attacker-controlled WebDAV backend, leading to the execution of a `bearer_token_command`. This allows the attacker to achieve command execution on the underlying system without any authentication.

  • Unauthenticated access required.
  • RC endpoint targeted.
  • Rclone RC interface must be exposed.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows unauthenticated command execution by leveraging the Rclone RC endpoint's ability to instantiate attacker-controlled backends. Attackers may find this appealing due to the critical impact of remote code execution, but exploitation requires the RC interface to be exposed without global HTTP authentication, which is not the default configuration.

  • Exploitation requires RC interface exposure.
  • No evidence of widespread exploitation.
  • Vulnerability patched in 1.73.5.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize patching all Rclone instances to version 1.73.5 or later to address the unauthenticated command execution vulnerability. If patching is delayed, immediately investigate and block any network traffic targeting the Rclone RC endpoint, especially on externally facing interfaces.

  • Upgrade rclone to 1.73.5+.
  • Block RC endpoint access.
  • Monitor for suspicious RC activity.

Frequently asked questions

What is Rclone and what is it used for?

Rclone is a command-line program designed to synchronize files and directories between different locations, including local storage and various cloud storage services. It helps users manage data across multiple platforms efficiently.

What type of vulnerability is CVE-2026-41179 in Rclone?

CVE-2026-41179 is an unauthenticated remote command execution vulnerability. It falls under the weakness class CWE-78, which relates to the improper neutralization of special elements used in an OS command. It also involves CWE-306, indicating an authentication bypass.

How can an attacker exploit Rclone's CVE-2026-41179 vulnerability?

An attacker can exploit this vulnerability by sending a specific request to Rclone's remote control (RC) endpoint. This request tricks Rclone into setting up a WebDAV backend using attacker-provided input, which then executes a command. This attack does not trigger if Rclone's RC interface is not reachable or if global HTTP authentication is in place.

Who needs to be concerned about this Rclone vulnerability?

Users running Rclone with its remote control (RC) interface enabled and accessible, especially from the internet, should be concerned. Halo Surface Signal indicates this is unlikely to be exposed externally by default, but misconfigurations can create risk.

What is the first step to address this Rclone threat?

The immediate first step is to upgrade Rclone to version 1.73.5 or later. If an upgrade is not immediately possible, restrict network access to the Rclone RC endpoint, particularly on external interfaces.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified