Cyber Resilience

CVE-2026-41176

CriticalPublic PoC

Published: 23 April 2026

Published
23 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v4 9.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.3453 98.2th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-41176 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Rclone Rclone. Its CVSS base score is 9.2 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and CM-5 (Access Restrictions for Change).

Deeper analysis

Rclone, a command-line program used to synchronize files with cloud storage providers, contains an authentication bypass vulnerability in its remote control (RC) interface. The `options/set` endpoint is registered without the `AuthRequired: true` flag and can alter global runtime settings, including the RC configuration block itself. The flaw affects versions 1.45.0 through 1.73.4 and is tracked as CWE-306.

An unauthenticated network attacker who can reach an RC server started without global HTTP authentication can invoke `options/set` to set `rc.NoAuth=true`. This change disables authorization checks on other RC methods that were intended to require authentication, granting the attacker access to administrative operations such as configuration changes and control functions.

The official advisory GHSA-25qr-6mpr-f7qx and the accompanying patch in version 1.73.5 address the issue by ensuring the `options/set` endpoint cannot be used to override authentication settings without prior authorization. The current and peak EPSS scores both stand at 0.2632, indicating no material increase in observed exploitation interest after disclosure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Rclone is a command-line program to sync files and directories to and from different cloud storage providers. The RC endpoint `options/set` is exposed without `AuthRequired: true`, but it can mutate global runtime configuration, including the RC option block itself. Starting…

more

in version 1.45.0 and prior to version 1.73.5, an unauthenticated attacker can set `rc.NoAuth=true`, which disables the authorization gate for many RC methods registered with `AuthRequired: true` on reachable RC servers that are started without global HTTP authentication. This can lead to unauthorized access to sensitive administrative functionality, including configuration and operational RC methods. Version 1.73.5 patches the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

The vulnerability is an authentication bypass in a network-exposed Remote Control (RC) HTTP endpoint of Rclone, enabling unauthenticated remote attackers to mutate configurations and access administrative functions, directly mapping to exploitation of public-facing applications and remote services.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-41179Same product: Rclone Rclone
CVE-2026-4436Shared CWE-306
CVE-2025-20358Shared CWE-306
CVE-2026-4810Shared CWE-306
CVE-2025-53847Shared CWE-306
CVE-2025-61757Shared CWE-306
CVE-2025-68715Shared CWE-306
CVE-2026-21992Shared CWE-306
CVE-2025-26362Shared CWE-306
CVE-2026-48692Shared CWE-306

Affected Assets

rclone
rclone
1.45 — 1.73.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authorization on the options/set RC endpoint so that unauthenticated callers cannot mutate rc.NoAuth or other privileged settings.

prevent

Restricts the ability to change system or runtime configuration (including RC authentication settings) to authorized subjects only.

prevent

Limits the privileges granted to unauthenticated RC sessions so they cannot perform administrative configuration or control operations.

References