Auth bypass in Rclone

CVE-2026-41176

Rclone is a command-line program to sync files and directories to and from different cloud storage providers. The RC endpoint `options/set` is exposed without `AuthRequired: true`, but it can mutate global runtime configuration, including…

Vulnerability class: Broken Authentication

EPSS: 0.263 (96.4th percentile) — read the EPSS interpretation.

Affected products

Rclone — versions >= 1.45.0, < 1.73.5

Weakness classification (CWE)

CWE-306 — Missing Authentication for Critical Function

References

https://github.com/rclone/rclone/security/advisories/GHSA-25qr-6mpr-f7qx (x_refsource_CONFIRM)
https://github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/fs/rc/config.go (x_refsource_MISC)
https://github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/fs/rc/rcserver/rcserver.go (x_refsource_MISC)