CVE-2026-41176
Published: 23 April 2026
Summary
CVE-2026-41176 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Rclone Rclone. Its CVSS base score is 9.2 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and CM-5 (Access Restrictions for Change).
Deeper analysis
Rclone, a command-line program used to synchronize files with cloud storage providers, contains an authentication bypass vulnerability in its remote control (RC) interface. The `options/set` endpoint is registered without the `AuthRequired: true` flag and can alter global runtime settings, including the RC configuration block itself. The flaw affects versions 1.45.0 through 1.73.4 and is tracked as CWE-306.
An unauthenticated network attacker who can reach an RC server started without global HTTP authentication can invoke `options/set` to set `rc.NoAuth=true`. This change disables authorization checks on other RC methods that were intended to require authentication, granting the attacker access to administrative operations such as configuration changes and control functions.
The official advisory GHSA-25qr-6mpr-f7qx and the accompanying patch in version 1.73.5 address the issue by ensuring the `options/set` endpoint cannot be used to override authentication settings without prior authorization. The current and peak EPSS scores both stand at 0.2632, indicating no material increase in observed exploitation interest after disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-25142
Vulnerability details
Rclone is a command-line program to sync files and directories to and from different cloud storage providers. The RC endpoint `options/set` is exposed without `AuthRequired: true`, but it can mutate global runtime configuration, including the RC option block itself. Starting…
more
in version 1.45.0 and prior to version 1.73.5, an unauthenticated attacker can set `rc.NoAuth=true`, which disables the authorization gate for many RC methods registered with `AuthRequired: true` on reachable RC servers that are started without global HTTP authentication. This can lead to unauthorized access to sensitive administrative functionality, including configuration and operational RC methods. Version 1.73.5 patches the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an authentication bypass in a network-exposed Remote Control (RC) HTTP endpoint of Rclone, enabling unauthenticated remote attackers to mutate configurations and access administrative functions, directly mapping to exploitation of public-facing applications and remote services.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authorization on the options/set RC endpoint so that unauthenticated callers cannot mutate rc.NoAuth or other privileged settings.
Restricts the ability to change system or runtime configuration (including RC authentication settings) to authorized subjects only.
Limits the privileges granted to unauthenticated RC sessions so they cannot perform administrative configuration or control operations.