CVE-2026-41176: Rclone: Unauthenticated options/set allows runtime auth bypass, leading to sensitive operations and command execution
(updated )
The RC endpoint options/set is exposed without AuthRequired: true, but it can mutate global runtime configuration, including the RC option block itself. An unauthenticated attacker can set rc.NoAuth=true, which disables the authorization gate for many RC methods registered with AuthRequired: true on reachable RC servers that are started without global HTTP authentication. This can lead to unauthorized access to sensitive administrative functionality, including configuration and operational RC methods.
References
- github.com/advisories/GHSA-25qr-6mpr-f7qx
- github.com/rclone/rclone
- github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/fs/rc/config.go
- github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/fs/rc/rcserver/rcserver.go
- github.com/rclone/rclone/security/advisories/GHSA-25qr-6mpr-f7qx
- nvd.nist.gov/vuln/detail/CVE-2026-41176
Code Behaviors & Features
Detect and mitigate CVE-2026-41176 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →