CVE-2026-41179
Published: 23 April 2026
Summary
CVE-2026-41179 is a critical-severity OS Command Injection (CWE-78) vulnerability in Rclone Rclone. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 7.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and CM-6 (Configuration Settings).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prohibits unauthenticated actions on sensitive RC endpoints like operations/fsinfo, preventing attacker-controlled backend instantiation and command execution.
Mandates secure configuration settings such as AuthRequired: true for RC endpoints to block unauthenticated access to attacker-controlled fs input.
Requires timely patching of the Rclone flaw (upgrade to v1.73.5+), eliminating the unauthenticated endpoint exposure and backend initialization vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables unauthenticated remote code execution via a crafted request to the exposed public-facing RC endpoint (`operations/fsinfo`) in Rclone, directly mapping to T1190: Exploit Public-Facing Application.
NVD Description
Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Starting in version 1.48.0 and prior to version 1.73.5, the RC endpoint `operations/fsinfo` is exposed without `AuthRequired: true` and accepts attacker-controlled `fs` input.…
more
Because `rc.GetFs(...)` supports inline backend definitions, an unauthenticated attacker can instantiate an attacker-controlled backend on demand. For the WebDAV backend, `bearer_token_command` is executed during backend initialization, making single-request unauthenticated local command execution possible on reachable RC deployments without global HTTP authentication. Version 1.73.5 patches the issue.
Deeper analysisAI
CVE-2026-41179 affects Rclone, a command-line program for syncing files and directories to and from cloud storage providers. The vulnerability exists in versions 1.48.0 through 1.73.4, specifically in the RC endpoint `operations/fsinfo`, which is exposed without the `AuthRequired: true` setting and accepts attacker-controlled `fs` input. This allows `rc.GetFs(...)` to instantiate an attacker-controlled backend on demand, as it supports inline backend definitions. For the WebDAV backend, the `bearer_token_command` executes during initialization, enabling command execution.
An unauthenticated attacker can exploit this on any reachable RC deployment lacking global HTTP authentication. By sending a single crafted request to the `operations/fsinfo` endpoint with a malicious WebDAV backend configuration, the attacker triggers execution of an arbitrary local command via the `bearer_token_command` feature, achieving remote code execution without prior authentication.
The rclone security advisory GHSA-jfwf-28xr-xw6q confirms that version 1.73.5 patches the issue by addressing the unauthenticated endpoint exposure. Practitioners should upgrade to Rclone 1.73.5 or later and review RC configurations to enforce authentication on all endpoints. Relevant code changes are detailed in the project's GitHub repository for the WebDAV backend, RC operations, and cache modules.
Details
- CWE(s)