{"id":"CVE-2026-41179","summary":"RClone: Unauthenticated operations/fsinfo allows attacker-controlled backend instantiation and local command execution","details":"Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Starting in version 1.48.0 and prior to version 1.73.5, the RC endpoint `operations/fsinfo` is exposed without `AuthRequired: true` and accepts attacker-controlled `fs` input. Because `rc.GetFs(...)` supports inline backend definitions, an unauthenticated attacker can instantiate an attacker-controlled backend on demand. For the WebDAV backend, `bearer_token_command` is executed during backend initialization, making single-request unauthenticated local command execution possible on reachable RC deployments without global HTTP authentication. Version 1.73.5 patches the issue.","aliases":["BIT-rclone-2026-41179","GHSA-jfwf-28xr-xw6q"],"modified":"2026-04-28T11:51:30.446452Z","published":"2026-04-23T00:03:36.282Z","related":["openSUSE-SU-2026:10584-1"],"database_specific":{"cwe_ids":["CWE-306","CWE-78"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41179.json","cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41179.json"},{"type":"WEB","url":"https://github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/backend/webdav/webdav.go"},{"type":"WEB","url":"https://github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/fs/operations/rc.go"},{"type":"WEB","url":"https://github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/fs/rc/cache.go"},{"type":"ADVISORY","url":"https://github.com/rclone/rclone/security/advisories/GHSA-jfwf-28xr-xw6q"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41179"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/rclone/rclone","events":[{"introduced":"245fed513ad33c7aacad2c6d591c81f646d44dc1"},{"fixed":"2c12ca64d451d79252982fcf96b09dff1d55b55e"}],"database_specific":{"source":"AFFECTED_FIELD","extracted_events":[{"introduced":"1.48.0"},{"fixed":"1.73.5"}]}}],"versions":["v1.48.0","v1.49.0","v1.50.0","v1.51.0","v1.52.0","v1.53.0","v1.54.0","v1.55.0","v1.56.0","v1.57.0","v1.58.0","v1.59.0","v1.60.0","v1.61.0","v1.62.0","v1.63.0","v1.64.0","v1.65.0","v1.66.0","v1.67.0","v1.68.0","v1.69.0","v1.70.0","v1.71.0","v1.72.0","v1.73.0","v1.73.1","v1.73.2","v1.73.3","v1.73.4"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-41179.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}]}