CVE Catalog

CVE-2026-49980

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.70%

49th percentile — higher than 49% of all known CVEs

Summary

Rclone versions 1.46.0 through 1.74.2 have a vulnerability in server mode (rcd --rc-serve) that allows unauthenticated GET and HEAD requests to execute arbitrary system commands. An attacker can craft special URLs to initialize backends with options that run local commands.

Risk Assessment

The risk is remote code execution (RCE) without authentication, potentially leading to full system compromise, data theft, or further attacks on the infrastructure.

Recommendation

Immediately update Rclone to version 1.74.3 or later. If updating is not possible, disable server mode (rcd --rc-serve) or restrict access to it via firewall.

Original NVD description (English source)

Rclone is a command-line program to sync files and directories to and from different cloud storage providers. From 1.46.0 until 1.74.3, rclone rcd --rc-serve accepts unauthenticated GET and HEAD requests to paths of the form: /[remote:path]/object. The remote value is parsed from the URL and passed to normal backend initialization. Inline remote configuration can set backend options that execute local commands during initialization. As a result, a single unauthenticated GET or HEAD request can execute a command as the rclone process user. This vulnerability is fixed in 1.74.3.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS