Zero Day MonitorZDM

← Back to list

—

CVE-2026-41176PATCHED

google · rclone

Rclone: Unauthenticated options/set allows runtime auth bypass, leading to sensitive operations and command execution

Description

Rclone is a command-line program to sync files and directories to and from different cloud storage providers. The RC endpoint `options/set` is exposed without `AuthRequired: true`, but it can mutate global runtime configuration, including the RC option block itself. Starting in version 1.45.0 and prior to version 1.73.5, an unauthenticated attacker can set `rc.NoAuth=true`, which disables the authorization gate for many RC methods registered with `AuthRequired: true` on reachable RC servers that are started without global HTTP authentication. This can lead to unauthorized access to sensitive administrative functionality, including configuration and operational RC methods. Version 1.73.5 patches the issue.

Affected Products

Vendor	Product	Versions
google	rclone	>= 1.45.0, < 1.73.5

References

https://github.com/rclone/rclone/security/advisories/GHSA-25qr-6mpr-f7qx(x_refsource_CONFIRM)
https://github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/fs/rc/config.go(x_refsource_MISC)
https://github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/fs/rc/rcserver/rcserver.go(x_refsource_MISC)

Related News (1 articles)

Tier C

VulDB5d ago

CVE-2026-41176 | Rclone up to 1.73.4 RC Endpoint options/set missing authentication (GHSA-25qr-6mpr-f7qx)

→ No new info (linked only)

CISA KEV❌ No

Actively exploited❌ No

Patch available

github.com/rclone/rclone@1.73.5

CWECWE-306

PublishedApr 22, 2026

Last enriched5d agov2

Tags

GHSA-25qr-6mpr-f7qxgoCVE-2026-41176

Trending Score22

Source articles1

Independent1

Info Completeness8/14

Missing: cvss, epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-6919EXP

CVE-2026-6919: Use after free in DevTools in Google Chrome prior to 147.0.7727.117 allowed a remote attacker who had compromised the re

CRITICALCVE-2026-6920EXP

CVE-2026-6920: Out of bounds read in GPU in Google Chrome on Android prior to 147.0.7727.117 allowed a remote attacker who had compromi

HIGHCVE-2026-6921EXP

CVE-2026-6921: Race in GPU in Google Chrome on Windows prior to 147.0.7727.117 allowed a remote attacker to potentially perform a sandb

HIGHCVE-2026-39858EXP

Traefik: Pre-authentication decision bypass due to forwarded alias spoofing

CRITICALCVE-2026-6296EXP

CVE-2026-6296: Heap buffer overflow in ANGLE in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to potentially perform

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 22, 2026

Discovered by ZDM

Apr 22, 2026

Updated: severity, tags

Apr 23, 2026

Exploit Available

Apr 28, 2026

Patch Available

Apr 28, 2026

Version History

v2

Last enriched 5d ago

v2Tier C5d ago

Updated severity to CRITICAL, marked exploit availability as false, and added new CVE ID CVE-2026-41176.

severitytags

via VulDB

v16d ago

Initial creation