External risk intelligence

Rclone Unauthenticated Remote Command Execution Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-49980

The vulnerability exists in the rclone remote control (rc) service when configured with --rc-serve. This mode is specifically designed to act as a web server to provide an API or file access over the network. Because this service is intended for remote access and interaction, it is commonly deployed as an externally reachable service, making it a likely candidate for public internet exposure.

Missing Authentication

Rclone

1.46 to before 1.74.3

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory details a critical vulnerability in Rclone, a widely used tool for synchronizing files across cloud storage. The flaw allows unauthenticated access to execute commands on the system running Rclone, posing a significant security risk. The main concern is confirming relevance and exposure to this type of tool and its associated risks.

  • Remote command execution flaw discovered.
  • Affects systems using Rclone's remote control service.
  • Assess Rclone usage and remote control service configurations.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by sending a specially crafted request to a running rclone instance that has the remote control service enabled. This service, by default, allows unauthenticated access to certain paths. By manipulating a path request, an attacker can influence how rclone initializes its backend connections, potentially leading to the execution of arbitrary commands on the system where rclone is running.

  • No authentication or special access needed.
  • Request to a specific remote control path.
  • Arbitrary command execution on the server.

Live Threat

Current exploitation, exposure, and threat context

When rclone's remote control service is exposed externally and configured with specific options, unauthenticated requests could lead to the execution of arbitrary commands. This means an attacker could potentially run commands on the system hosting rclone, affecting the integrity and availability of the rclone process and the underlying operating system.

  • System commands could be executed.
  • Via unauthenticated network requests.
  • System compromise and data loss.

Operational Fix

Recommended remediation, mitigation, and detection steps

Systems leveraging Rclone's remote control service with the `--rc-serve` option enabled are at risk. This feature allows unauthenticated network requests to execute commands as the Rclone process user, posing a critical threat. Identifying all instances of Rclone, confirming their exposure and business criticality, and then assigning ownership for remediation planning is the immediate priority.

  • Rclone application owners should lead remediation.
  • Verify exposed Rclone instances and their configurations.
  • Plan remediation based on asset criticality and exposure.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Rclone?

Rclone is a command-line software tool used to sync, transfer, and manage files across many different cloud storage providers. It acts as an intermediary, allowing users to move data between local file systems and remote storage services seamlessly.

What does CVE-2026-49980 mean?

This CVE identifies a security weakness known as missing authentication (CWE-306). It means that specific functions in the software can be accessed without verifying who the user is. In this case, an attacker can exploit this to run unauthorized commands on the server hosting the software.

How is this vulnerability triggered?

It is triggered when an attacker sends a specially crafted GET or HEAD network request to an Rclone instance running the remote control service with --rc-serve enabled. Requests that do not target the specific remote control paths or systems that do not have the --rc-serve feature turned on are not subject to this specific command execution path.

Is my system at risk?

If you run Rclone with the --rc-serve option, your system may be at risk. Halo Surface Signal identifies this as a likely target for public internet exposure because this specific mode is designed to act as a web server, making it frequently reachable over a network rather than just restricted to internal use.

How do I secure my environment?

First, identify all instances of Rclone running in your environment to see if they utilize the --rc-serve configuration. If you find affected instances, update your software to version 1.74.3 or later, which contains the fix for this vulnerability.

References