Rclone RC NoAuth Bypass (1.45.01.73.4)
CVE-2026-41176 Published on April 22, 2026

Rclone: Unauthenticated options/set allows runtime auth bypass, leading to sensitive operations and command execution
Rclone is a command-line program to sync files and directories to and from different cloud storage providers. The RC endpoint `options/set` is exposed without `AuthRequired: true`, but it can mutate global runtime configuration, including the RC option block itself. Starting in version 1.45.0 and prior to version 1.73.5, an unauthenticated attacker can set `rc.NoAuth=true`, which disables the authorization gate for many RC methods registered with `AuthRequired: true` on reachable RC servers that are started without global HTTP authentication. This can lead to unauthorized access to sensitive administrative functionality, including configuration and operational RC methods. Version 1.73.5 patches the issue.

NVD

Vulnerability Analysis

CVE-2026-41176 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. An automatable proof of concept (POC) exploit exists. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
HIGH

Weakness Types

Missing Authentication for Critical Function

The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

External Control of System or Configuration Setting

One or more system settings or configuration elements can be externally controlled by a user. Allowing external control of system settings can disrupt service or cause an application to behave in unexpected, and potentially malicious ways.


Products Associated with CVE-2026-41176

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2026-41176 are published in these products:

 
 
 

Affected Versions

rclone: Red Hat OpenShift API for Data Protection: Red Hat OpenShift API for Data Protection: Red Hat OpenShift API for Data Protection: Red Hat Advanced Cluster Management for Kubernetes 2:

Exploit Probability

EPSS
35.44%
Percentile
98.25%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.