Zero Day MonitorZDM

← Back to list

—

CVE-2026-41179EXPLOITEDPATCHED

google · rclone

RClone: Unauthenticated operations/fsinfo allows attacker-controlled backend instantiation and local command execution

Description

A vulnerability identified as critical has been detected in Rclone up to 1.73.4. This affects the function bearer_token_command of the file operations/fsinfo of the component RC Endpoint. The manipulation leads to os command injection. This vulnerability is documented as CVE-2026-41179. The attack can be initiated remotely.

Affected Products

Vendor	Product	Versions
google	rclone	go/github.com/rclone/rclone: >= 1.48.0, <= 1.73.4

References

https://github.com/rclone/rclone/security/advisories/GHSA-jfwf-28xr-xw6q(x_refsource_CONFIRM)
https://github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/backend/webdav/webdav.go(x_refsource_MISC)
https://github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/fs/operations/rc.go(x_refsource_MISC)
https://github.com/rclone/rclone/blob/bf55d5e6d37fd86164a87782191f9e1ffcaafa82/fs/rc/cache.go(x_refsource_MISC)

Related News (1 articles)

Tier C

VulDB15h ago

CVE-2026-41179 | Rclone up to 1.73.4 RC Endpoint operations/fsinfo bearer_token_command os command injection (GHSA-jfwf-28xr-xw6q)

→ No new info (linked only)

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

github.com/rclone/rclone@1.73.5

CWECWE-78, CWE-306

PublishedApr 22, 2026

Last enriched14h agov2

Tags

GHSA-jfwf-28xr-xw6qgo

Trending Score46

Source articles1

Independent1

Info Completeness8/14

Missing: cvss, epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-6920EXP

CVE-2026-6920: Out of bounds read in GPU in Google Chrome on Android prior to 147.0.7727.117 allowed a remote attacker who had compromi

CRITICALCVE-2026-6296EXP

CVE-2026-6296: Heap buffer overflow in ANGLE in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to potentially perform

HIGHCVE-2026-6297EXP

CVE-2026-6297: Use after free in Proxy in Google Chrome prior to 147.0.7727.101 allowed an attacker in a privileged network position to

HIGHCVE-2026-6299EXP

CVE-2026-6299: Use after free in Prerender in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code

HIGHCVE-2026-5873EXP

CVE-2026-5873: Out of bounds read and write in V8 in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrar

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 22, 2026

Discovered by ZDM

Apr 22, 2026

Actively Exploited

Apr 23, 2026

Patch Available

Apr 23, 2026

Updated: description, severity, activelyExploited

Apr 23, 2026

Version History

v2

Last enriched 14h ago

v2Tier C14h ago

Updated severity to CRITICAL, added CVE-2026-41179, and corrected exploit availability to false.

descriptionseverityactivelyExploited

via VulDB

v11d ago

Initial creation