Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN601
_____________________________________________________________________

DATE                : 08/06/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running rclone (Go) versions prior to
                                           1.74.3.

=====================================================================
https://github.com/rclone/rclone/security/advisories/GHSA-qw24-gh76-8rvv
_____________________________________________________________________


Unauthenticated command execution in `rclone rcd --rc-serve` via
inline remote instantiation

Critical
ncw published GHSA-qw24-gh76-8rvv Jun 5, 2026

Package
github.com/rclone/rclone (Go)

Affected versions
>=1.46.0, <= 1.74.2

Patched versions
1.74.3


Description

Summary

rclone rcd --rc-serve accepts unauthenticated GET and HEAD requests to
paths of the form:

/[remote:path]/object

The remote value is parsed from the URL and passed to normal backend
initialization. Inline remote configuration can set backend options that
execute local commands during initialization. As a result, a single
unauthenticated GET or HEAD request can execute a command as the rclone
process user.

Versions from 1.55.0 onwards are vulnerable to command execution. Earlier
versions (from 1.46.0) are vulnerable to the unauthenticated local file
read described under "Additional impact" but not to command execution,
because inline backend option overrides did not exist until 1.55.0.


Preconditions

Preconditions for this vulnerability are:

    The rclone remote control API must be enabled, either by the --rc flag
or by running the rclone rcd server
    The remote control API must be reachable by the attacker - by default
rclone only serves the rc to localhost unless the --rc-addr flag is in use
    The rc must have been deployed without global RC HTTP authentication - so
not using --rc-user/--rc-pass/--rc-htpasswd/etc
    The --rc-serve flag must be in use


Impact

An unauthenticated network attacker who can reach the RC HTTP listener can
execute commands as the rclone process user.

Additional impact observed during testing:

    GET and HEAD both trigger backend initialization.
    The same path allows unauthenticated local file read through inline local
remotes.
    Inline global.* options can mutate process-wide rclone configuration,
including global.http_proxy.
    Browser subresource requests can also trigger the issue against a
localhost-only RC listener. In testing, Firefox triggered the payload from a
public HTTPS page containing only an <img> tag pointing at
http://127.0.0.1:5572/.... This is an additional impact multiplier, not the
primary attack precondition.


Mitigations / Workarounds

    Upgrade to rclone 1.74.3 (or 1.75.0 when released).
    Or, configure HTTP authentication on the rc with --rc-user/--rc-pass
    or --rc-htpasswd, which has always been the recommended deployment.
    Or, do not use --rc-serve if file serving is not needed.


The Fix

The vulnerabilities in this advisory have been fixed by two commits:

    rc: fix unauthenticated command execution via --rc-serve inline remotes
    rc: stop global.* connection string options changing config

Severity
Critical
9.8/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE ID
CVE-2026-49980

Weaknesses
Weakness CWE-306

Credits

    @kamil-sawicki kamil-sawicki Reporter
    @ncw ncw Remediation developer


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================