259 matches found
rclone-1.74.1-1.1 on GA media (moderate)
rclone-1.74.1-1.1 on GA media Announcement ID: openSUSE-SU-2026:10762-1 Rating: moderate Cross-References: CVE-2026-33814 CVSS scores: CVE-2026-33814 SUSE : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: openSUSE Tumbleweed An update that solves one vulnerability can now be...
VulnCheck KEV: CVE-2026-41176
Rclone is a command-line program to sync files and directories to and from different cloud storage providers. The RC endpoint options/set is exposed without AuthRequired: true, but it can mutate global runtime configuration, including the RC option block itself. Starting in version 1.45.0 and pri...
OPENSUSE-SU-2026:10762-1 rclone-1.74.1-1.1 on GA media
These are all security issues fixed in the rclone-1.74.1-1.1 package on the GA media of openSUSE Tumbleweed...
[SECURITY] Fedora 44 Update: rclone-1.74.0-2.fc44
"rsync for cloud storage" - Google Drive, S3, Dropbox, Backblaze B2, One Driv e, Swift, Hubic, Wasabi, Google Cloud Storage, Azure Blob, Azure Files, Yandex Files...
Fedora 44 : rclone (2026-63341da831)
The remote Fedora 44 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-63341da831 advisory. Update to 1.74.0 Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that Nessus has not tested f...
Fedora 43 : rclone (2026-2bb2aee489)
The remote Fedora 43 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-2bb2aee489 advisory. Update to 1.74.0 Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that Nessus has not tested f...
rclone-1.74.0-1.1 on GA media (moderate)
rclone-1.74.0-1.1 on GA media Announcement ID: openSUSE-SU-2026:10682-1 Rating: moderate Cross-References: CVE-2026-32952 CVE-2026-33813 Affected Products: openSUSE Tumbleweed An update that solves 2 vulnerabilities can now be installed. Description: These are all security issues fixed in the...
OPENSUSE-SU-2026:10682-1 rclone-1.74.0-1.1 on GA media
These are all security issues fixed in the rclone-1.74.0-1.1 package on the GA media of openSUSE Tumbleweed...
Important: rclone
Issue Overview: crypto/tls: handshake messages may be processed at the incorrect encryption level CVE-2025-61730 On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was...
Amazon Linux 2 : rclone, --advisory ALAS2-2026-3264 (ALAS-2026-3264)
"The version of rclone installed on the remote host is prior to 1.55.1-1. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2026-3264 advisory. gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper...
JLSEC-2026-281 RClone: Unauthenticated operations/fsinfo allows attacker-controlled backend instantiation and local command execution
Summary The RC endpoint operations/fsinfo is exposed without AuthRequired: true and accepts attacker-controlled fs input. Because rc.GetFs... supports inline backend definitions, an unauthenticated attacker can instantiate an attacker-controlled backend on demand. For the WebDAV backend,...
JLSEC-2026-279 Rclone has Improper Permission and Ownership Handling on Symlink Targets with --links and --metadata
tl;dr: unprivileged user creates a symlink to /etc/sudoers, /etc/shadow or similar and waits for a privileged user or process to copy/backup/mirror users data using --links and --metadata. unprivileged user now owns /etc/sudoers. Summary Insecure handling of symlinks with --links and --metadata i...
JLSEC-2026-278
An issue was discovered in Rclone before 1.53.3. Due to the use of a weak random number generator, the password generator has been producing weak passwords with much less entropy than advertised. The suggested passwords depend deterministically on the time the second rclone was started. This limi...
openSUSE 16 Security Update : rclone (openSUSE-SU-2026:20620-1)
The remote openSUSE 16 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:20620-1 advisory. Changes in rclone: - Update to version 1.73.5: Version v1.73.5 operations: add AuthRequired to operations/fsinfo to prevent backend creation...
CVE-2026-32952 vulnerabilities
Vulnerabilities for packages: kyverno-notation-aws, ratify, juicefs, k6, rancher-agent, zot, grafana, dex, sftpgo-plugin-auth, kyverno, percona-server-mongodb-operator, rancher, seaweedfs, cert-manager, gitea, cert-manager-cmctl, telegraf, bento, openbao, terraform, external-secrets-operator,...
GHSA-PJCQ-XVWQ-HHPJ vulnerabilities
Vulnerabilities for packages: kyverno-notation-aws, ratify, juicefs, k6, rancher-agent, zot, grafana, dex, sftpgo-plugin-auth, kyverno, percona-server-mongodb-operator, rancher, seaweedfs, cert-manager, gitea, cert-manager-cmctl, telegraf, bento, openbao, terraform, external-secrets-operator,...
BIT-RCLONE-2026-41176 Rclone: Unauthenticated options/set allows runtime auth bypass, leading to sensitive operations and command execution
Rclone is a command-line program to sync files and directories to and from different cloud storage providers. The RC endpoint options/set is exposed without AuthRequired: true, but it can mutate global runtime configuration, including the RC option block itself. Starting in version 1.45.0 and pri...
SUSE CVE-2026-41179
Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Starting in version 1.48.0 and prior to version 1.73.5, the RC endpoint operations/fsinfo is exposed without AuthRequired: true and accepts attacker-controlled fs input. Because rc.GetFs...
Rclone 1.45.x < 1.73.5 Authentication Bypass (CVE-2026-41176)
The version of Rclone installed on the remote host is 1.45.x prior to 1.73.5. It is, therefore, affected by an authentication bypass vulnerability: - The RC endpoint options/set is exposed without AuthRequired, but it can mutate global runtime configuration, including the RC option block itself. ...
Rclone 1.48.x < 1.73.5 Command Injection (CVE-2026-41179)
The version of Rclone installed on the remote host is 1.48.x prior to 1.73.5. It is, therefore, affected by a command injection vulnerability: - The RC endpoint operations/fsinfo is exposed without AuthRequired and accepts attacker-controlled fs input. Because rc.GetFs supports inline backend...