An rsync security advisory reports:
There is a path-sanitizing bug that affects daemon mode in
all recent rsync versions (including 2.6.2) but only if
chroot is disabled.
The bug may allow a remote user to access files outside
of an rsync module’s configured path with the privileges
configured for that module.