JustAppSec
Back to news

Patches unauthenticated command execution in rclone RC fsinfo

1 min readPublished 23 Apr 2026Updated 23 Apr 2026Source: CVEProject (cvelistV5)
CVE-2026-41179NewsDevOpsDeveloper Tooling

TL;DR — A missing-auth guard on rclone’s Remote Control operations/fsinfo can be abused to trigger local command execution by instantiating an attacker-controlled WebDAV backend with a malicious bearer_token_command.

What happened

rclone is a widely-used command-line tool for syncing files and directories to and from cloud storage providers, and includes an optional Remote Control (RC) HTTP API for automation.

CVE-2026-41179 describes a Critical issue where the RC endpoint operations/fsinfo is exposed without AuthRequired: true and accepts attacker-controlled fs input. Because rc.GetFs(...) supports inline backend definitions, an unauthenticated attacker can create an attacker-controlled backend on demand; for the WebDAV backend, bearer_token_command is executed during backend initialization, enabling single-request unauthenticated local command execution on reachable RC deployments without global HTTP authentication.

This is a high-impact “admin surface exposed” failure mode: RC endpoints are commonly enabled for automation and diagnostics, and any accidental network exposure (or “temporary” no-auth configs) can turn into an immediate code-execution primitive.

Who is impacted

  • Deployments running rclone versions >= 1.48.0 and < 1.73.5.
  • Highest risk environments match the CVE/GHSA preconditions:
    • RC is enabled (via --rc or rclone rcd).
    • RC is reachable by the attacker (e.g., bound beyond localhost using --rc-addr).
    • RC is deployed without global RC HTTP authentication (not using --rc-user / --rc-pass / --rc-htpasswd, etc.).
ComponentAffectedPatched
rclone RC operations/fsinfo>= 1.48.0, < 1.73.51.73.5

What to do now

  • Follow vendor remediation guidance and apply the latest patched release available at the time of writing; the CVE record states the issue is patched in rclone 1.73.5.
  • Treat RC exposure as a production security boundary:
    • Do not expose the RC listener to untrusted networks.
    • Add global RC HTTP authentication (e.g., --rc-user / --rc-pass / --rc-htpasswd) where RC must be reachable.
  • Incident-response hygiene (if RC may have been reachable): review access logs/telemetry for unexpected POSTs to operations/fsinfo, then rotate credentials and secrets accessible to the rclone host/runtime.

Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.

Need help?Get in touch.