RClone RC - Command Injection

Rclone = 1.48.0 and = 1.48.0 and 1.73.5 contains an unauthenticated local command execution caused by unauthenticated access to the RC endpoint operations/fsinfo with attacker-controlled fs input, letting unauthenticated attackers execute local commands, exploit requires reachable RC deployment...

Rclone RC - Broken Access Control

Rclone = 1.45.0 and = 1.45.0 and 1.73.5 contains a broken access control vulnerability caused by unauthenticated access to the RC endpoint options/set allowing mutation of global runtime configuration, letting unauthenticated attackers access sensitive administrative functions, exploit requires R...

ROOT-APP-GOBINARY-CVE-2026-41179 CVE-2026-41179 in rootio-github.com/rclone/rclone - Patched by Root

Root has patched CVE-2026-41179 in the rootio-github.com/rclone/rclone package for Root:Go. Multiple fixed versions available...

ROOT-APP-GOBINARY-CVE-2026-41176 CVE-2026-41176 in rootio-github.com/rclone/rclone - Patched by Root

Root has patched CVE-2026-41176 in the rootio-github.com/rclone/rclone package for Root:Go. Multiple fixed versions available...

Rclone 1.46.x < 1.74.3 Unauthenticated Command Execution

The version of Rclone installed on the remote host is 1.46.x prior to 1.74.3. It is, therefore, affected by an unauthenticated command execution vulnerability: - rclone rcd --rc-serve accepts unauthenticated GET and HEAD requests to paths of the form /remote:path/object. The remote value is parse...

Security update for rclone (critical)

openSUSE Security Update: Security update for rclone Announcement ID: openSUSE-SU-2026:0199-1 Rating: critical References: 1266210 1267869 Cross-References: CVE-2026-25680 CVE-2026-25681 CVE-2026-27136 CVE-2026-27145 CVE-2026-33809 CVE-2026-39821 CVE-2026-39824 CVE-2026-39827 CVE-2026-39828...

rclone-1.74.3-1.1 on GA media (moderate)

rclone-1.74.3-1.1 on GA media Announcement ID: openSUSE-SU-2026:10975-1 Rating: moderate Cross-References: CVE-2026-27145 CVE-2026-42504 CVE-2026-42507 CVE-2026-49980 CVSS scores: CVE-2026-27145 SUSE : 3.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2026-27145 SUSE : 4.6...

OPENSUSE-SU-2026:10975-1 rclone-1.74.3-1.1 on GA media

These are all security issues fixed in the rclone-1.74.3-1.1 package on the GA media of openSUSE Tumbleweed...

Amazon Linux 2 : rclone, --advisory ALAS2-2026-3348 (ALAS-2026-3348)

The version of rclone installed on the remote host is prior to 1.55.1-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2026-3348 advisory. The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively...

CVE-2026-11416

MoviePilot contains a path traversal vulnerability in the AliPan, U115, and Rclone cloud storage download handlers where the local destination path is constructed by concatenating the configured download directory with a filename taken directly from remote cloud API metadata without basename...

PT-2026-47184

Name of the Vulnerable Software and Affected Versions rclone versions 1.46.0 through 1.74.2 Description When the remote control API is enabled and the --rc-serve flag is used without HTTP authentication, the software accepts unauthenticated GET and HEAD requests to paths formatted as...

EUVD-2026-34920

MoviePilot contains a path traversal vulnerability in the AliPan, U115, and Rclone cloud storage download handlers where the local destination path is constructed by concatenating the configured download directory with a filename taken directly from remote cloud API metadata without basename...

CVE-2026-11416 MoviePilot Path Traversal via Cloud Storage Download Handlers

MoviePilot contains a path traversal vulnerability in the AliPan, U115, and Rclone cloud storage download handlers where the local destination path is constructed by concatenating the configured download directory with a filename taken directly from remote cloud API metadata without basename...

PT-2026-47060

MoviePilot contains a path traversal vulnerability in the AliPan, U115, and Rclone cloud storage download handlers where the local destination path is constructed by concatenating the configured download directory with a filename taken directly from remote cloud API metadata without basename...

Ubuntu 20.04 LTS / 22.04 LTS / 24.04 LTS / 25.10 / 26.04 LTS : Rclone vulnerabilities (USN-8299-1)

The remote Ubuntu 20.04 LTS / 22.04 LTS / 24.04 LTS / 25.10 / 26.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-8299-1 advisory. It was discovered that Rclone incorrectly handled authorization in the remote control API. An attacker could...

Amazon Linux 2 : rclone, --advisory ALAS2-2026-3309 (ALAS-2026-3309)

The version of rclone installed on the remote host is prior to 1.55.1-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2026-3309 advisory. Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag...

Amazon Linux 2023 : rclone (ALAS2023-2026-1717)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1717 advisory. When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash. CVE-2026-33811 When processing HTTP/2 SETTINGS frames, transport...

Important: rclone

Issue Overview: Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escapi...

Important: rclone

Issue Overview: When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash. CVE-2026-33811 When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a...

USN-8299-1: Rclone vulnerabilities

It was discovered that Rclone incorrectly handled authorization in the remote control API. An attacker could possibly use this issue to obtain sensitive information. CVE-2026-41176 It was discovered that Rclone incorrectly handled backend instantiation via the remote control API. An attacker coul...