279 matches found
Rclone RC - Broken Access Control
Rclone = 1.45.0 and = 1.45.0 and 1.73.5 contains a broken access control vulnerability caused by unauthenticated access to the RC endpoint options/set allowing mutation of global runtime configuration, letting unauthenticated attackers access sensitive administrative functions, exploit requires R...
RClone RC - Command Injection
Rclone = 1.48.0 and = 1.48.0 and 1.73.5 contains an unauthenticated local command execution caused by unauthenticated access to the RC endpoint operations/fsinfo with attacker-controlled fs input, letting unauthenticated attackers execute local commands, exploit requires reachable RC deployment...
CVE-2026-59733
A flaw was found in Rclone. When using the rclone serve restic --private-repos command, an authenticated user can include directory traversal sequences e.g., .. in a request. This allows them to bypass authorization and read, overwrite, or delete another user's private repository on backends that...
Linux Distros Unpatched Vulnerability : CVE-2026-59733
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Prior to 1.74.4, rclone serve restic --private-rep...
DEBIAN-CVE-2026-59733
Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Prior to 1.74.4, rclone serve restic --private-repos enforces authorization using the routed user path segment while building the backend object key from the raw uncleaned URL path,...
CVE-2026-59733
Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Prior to 1.74.4, rclone serve restic --private-repos enforces authorization using the routed user path segment while building the backend object key from the raw uncleaned URL path,...
DEBIAN-CVE-2026-59732
Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Prior to 1.74.4, rclone archive extract can write extracted files outside the user-selected destination prefix when extracting a crafted archive containing parent path components such as...
CVE-2026-59732
Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Prior to 1.74.4, rclone archive extract can write extracted files outside the user-selected destination prefix when extracting a crafted archive containing parent path components such as...
DEBIAN-CVE-2026-54572
Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Prior to 1.74.4, with -l/--links, rclone serializes symlinks as .rclonelink text objects and recreates them on a local destination without validating the target, allowing an...
CVE-2026-54572
Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Prior to 1.74.4, with -l/--links, rclone serializes symlinks as .rclonelink text objects and recreates them on a local destination without validating the target, allowing an...
CVE-2026-59733
CVE-2026-59733 affects the rclone tool before version 1.74.4, specifically when using the command set “serve restic --private-repos.” The issue arises because authorization is enforced using the routed user path segment while the backend object key is built from the raw, uncleaned URL path, allow...
CVE-2026-54572 rclone: Unvalidated symlink target in local `--links` — arbitrary file write from an untrusted remote
Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Prior to 1.74.4, with -l/--links, rclone serializes symlinks as .rclonelink text objects and recreates them on a local destination without validating the target, allowing an...
CVE-2026-54572
Rogue symlink handling in rclone before 1.74.4: when using -l/--links, rclone serializes symlinks as .rclonelink and recreates them locally without validating the target, allowing an attacker-controlled remote to plant an escaping symlink and cause subsequent writes to land outside the destinatio...
CVE-2026-59732
The CVE describes a vulnerability in rclone where rclone archive extract could write extracted files outside the user-specified destination prefix when processing crafted archives containing parent path components (e.g., ../). This allowed creating or overwriting sibling objects in the same bucke...
rclone-1.74.4-1.1 on GA media (moderate)
rclone-1.74.4-1.1 on GA media Announcement ID: openSUSE-SU-2026:11241-1 Rating: moderate Cross-References: CVE-2026-54572 CVE-2026-59732 CVE-2026-59733 Affected Products: openSUSE Tumbleweed An update that solves 3 vulnerabilities can now be installed. Description: These are all security issues...
PT-2026-57234
Name of the Vulnerable Software and Affected Versions rclone versions prior to 1.74.4 Description When using the -l/--links flag, the software serializes symlinks as .rclonelink text objects and recreates them on a local destination without validating the target. This allows an attacker-controlle...
PT-2026-57243
Name of the Vulnerable Software and Affected Versions rclone versions prior to 1.74.4 Description When using the serve restic --private-repos command, the software enforces authorization based on the routed user path segment but constructs the backend object key using the raw, uncleaned URL path...
PT-2026-57242
Name of the Vulnerable Software and Affected Versions rclone versions prior to 1.74.4 Description The archive extract function allows the creation or overwriting of sibling objects within the same bucket or path scope. This occurs when extracting a specially crafted archive containing parent path...
OPENSUSE-SU-2026:11241-1 rclone-1.74.4-1.1 on GA media
These are all security issues fixed in the rclone-1.74.4-1.1 package on the GA media of openSUSE Tumbleweed...
Important: rclone
Issue Overview: The webp decoder can panic when processing a VP8 chunk with dimensions that do not match the canvas size. CVE-2026-46601 The TIFF decoder does not set a limit on the size of tiles in tiled images, permitting a malicious or corrupt image containing a very large tile to cause...