CVE-2026-41176
Published: 23 April 2026
Summary
CVE-2026-41176 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Rclone Rclone. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 9.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Explicitly identifies and limits organizational actions permitted without identification or authentication, directly preventing exposure of the unauthenticated /options/set endpoint that mutates critical RC configuration.
Enforces approved authorizations for logical access to system resources, blocking unauthorized attackers from exploiting the RC endpoint to disable authentication gates.
Defines and enforces logical access restrictions for changes to system components, mitigating unauthenticated mutation of global runtime configuration including rc.NoAuth settings.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an authentication bypass in a network-exposed Remote Control (RC) HTTP endpoint of Rclone, enabling unauthenticated remote attackers to mutate configurations and access administrative functions, directly mapping to exploitation of public-facing applications and remote services.
NVD Description
Rclone is a command-line program to sync files and directories to and from different cloud storage providers. The RC endpoint `options/set` is exposed without `AuthRequired: true`, but it can mutate global runtime configuration, including the RC option block itself. Starting…
more
in version 1.45.0 and prior to version 1.73.5, an unauthenticated attacker can set `rc.NoAuth=true`, which disables the authorization gate for many RC methods registered with `AuthRequired: true` on reachable RC servers that are started without global HTTP authentication. This can lead to unauthorized access to sensitive administrative functionality, including configuration and operational RC methods. Version 1.73.5 patches the issue.
Deeper analysisAI
CVE-2026-41176 is a critical authentication bypass vulnerability in Rclone, a command-line program for syncing files and directories to and from cloud storage providers. The issue affects the RC (Remote Control) endpoint `/options/set`, which is exposed without requiring authentication (`AuthRequired: true`). This endpoint allows mutation of global runtime configuration, including the RC option block itself. The vulnerability impacts Rclone versions starting from 1.45.0 up to but not including 1.73.5, enabling unauthenticated attackers to alter key settings on reachable RC servers launched without global HTTP authentication.
An unauthenticated attacker with network access to the RC server can exploit this by sending a request to the `/options/set` endpoint to set `rc.NoAuth=true`. This disables the authorization gate for numerous other RC methods that are registered with `AuthRequired: true`, granting unauthorized access to sensitive administrative functionality. Potential impacts include manipulation of configurations and execution of operational RC methods, as reflected in the vulnerability's CVSS v3.1 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and association with CWE-306 (Missing Authentication for Critical Function).
The Rclone security advisory (GHSA-25qr-6mpr-f7qx) and related code changes confirm that version 1.73.5 patches the issue by addressing the unauthenticated mutation of the RC configuration. Security practitioners should prioritize upgrading affected RC servers to version 1.73.5 or later to mitigate the risk.
Details
- CWE(s)