Skip to content

fix(deps): update module github.com/rclone/rclone to v1.73.5 [security]#655

Open
renovate[bot] wants to merge 1 commit intomainfrom
renovate/go-github.com-rclone-rclone-vulnerability
Open

fix(deps): update module github.com/rclone/rclone to v1.73.5 [security]#655
renovate[bot] wants to merge 1 commit intomainfrom
renovate/go-github.com-rclone-rclone-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Apr 22, 2026

This PR contains the following updates:

Package Change Age Confidence
github.com/rclone/rclone v1.68.2v1.73.5 age confidence

Rclone: Unauthenticated options/set allows runtime auth bypass, leading to sensitive operations and command execution

CVE-2026-41176 / GHSA-25qr-6mpr-f7qx

More information

Details

Summary

The RC endpoint options/set is exposed without AuthRequired: true, but it can mutate global runtime configuration, including the RC option block itself. An unauthenticated attacker can set rc.NoAuth=true, which disables the authorization gate for many RC methods registered with AuthRequired: true on reachable RC servers that are started without global HTTP authentication. This can lead to unauthorized access to sensitive administrative functionality, including configuration and operational RC methods.

Preconditions

Preconditions for this vulnerability are:

  • The rclone remote control API must be enabled, either by the --rc flag or by running the rclone rcd server
  • The remote control API must be reachable by the attacker - by default rclone only serves the rc to localhost unless the --rc-addr flag is in use
  • The rc must have been deployed without global RC HTTP authentication - so not using --rc-user/--rc-pass/--rc-htpasswd/etc
Details

The root cause is present from v1.45 onward. Some higher-impact exploitation paths became available in later releases as additional RC functionality was introduced.

The issue is caused by two properties of the RC implementation:

  1. options/set is exposed without AuthRequired: true
  2. the RC server enforces authorization for AuthRequired calls using the mutable runtime value s.opt.NoAuth

Relevant code paths:

  • fs/rc/config.go

    • registers options/set without AuthRequired: true
    • rcOptionsSet reshapes attacker-controlled input into global option blocks

  • fs/rc/rcserver/rcserver.go

    • request handling checks:
      • if !s.opt.NoAuth && call.AuthRequired && !s.server.UsingAuth()
    • once rc.NoAuth is changed to true, later AuthRequired methods become callable without credentials

This creates a runtime auth-bypass primitive on the RC interface.

After setting rc.NoAuth=true, previously protected administrative methods become callable, including configuration and operational endpoints such as:

  • config/listremotes
  • config/dump
  • config/get
  • operations/list
  • operations/copyfile
  • core/command

Relevant code for the second-stage command execution path:

  • fs/metadata.go

    • metadataMapper() uses exec.Command(...)

  • fs/operations/rc.go

    • operations/copyfile is normally AuthRequired: true
    • once rc.NoAuth=true, it becomes reachable without credentials

This was validating using the following:

  • current master as of 2026-04-14: bf55d5e6d37fd86164a87782191f9e1ffcaafa82
  • latest public release tested locally: v1.73.4

The issue was also verified on a public amd64 Ubuntu host controlled by the tester, using direct host execution (not containerized PoC execution).

PoC
Minimal reproduction

Start a vulnerable server:

rclone rcd --rc-addr 127.0.0.1:5572

No --rc-user, no --rc-pass, no --rc-htpasswd.

First confirm that a protected RC method is initially blocked:

curl -sS -X POST http://127.0.0.1:5572/config/listremotes \
  -H 'Content-Type: application/json' \
  --data '{}'

Expected result: HTTP 403.

Use unauthenticated options/set to disable the auth gate:

curl -sS -X POST http://127.0.0.1:5572/options/set \
  -H 'Content-Type: application/json' \
  --data '{"rc":{"NoAuth":true}}'

Expected result: HTTP 200 {}

Then call the same protected method again without credentials:

curl -sS -X POST http://127.0.0.1:5572/config/listremotes \
  -H 'Content-Type: application/json' \
  --data '{}'

Expected result: HTTP 200 with a JSON response such as:

{"remotes":[]}
Testing performed

This was successfully reproduced:

  • on the tester's ocal test environment
  • on a public amd64 Ubuntu host controlled by the tester

Using the public host, the following was confirmed:

  • unauthenticated options/set successfully set rc.NoAuth=true
  • previously protected RC methods became callable without credentials
  • the issue was reproducible through direct host execution
Impact

This is an authorization bypass on the RC administrative interface.

It can allow an unauthenticated network attacker, on a reachable RC deployment without global HTTP authentication, to disable the intended auth boundary for protected RC methods and gain access to sensitive configuration and operational functionality.

Depending on the enabled RC surface and runtime configuration, this can further enable higher-impact outcomes such as local file read, credential/config disclosure, filesystem enumeration, and command execution.

Severity

  • CVSS Score: 9.2 / 10 (Critical)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

RClone: Unauthenticated operations/fsinfo allows attacker-controlled backend instantiation and local command execution

CVE-2026-41179 / GHSA-jfwf-28xr-xw6q

More information

Details

Summary

The RC endpoint operations/fsinfo is exposed without AuthRequired: true and accepts attacker-controlled fs input. Because rc.GetFs(...) supports inline backend definitions, an unauthenticated attacker can instantiate an attacker-controlled backend on demand. For the WebDAV backend, bearer_token_command is executed during backend initialization, making single-request unauthenticated local command execution possible on reachable RC deployments without global HTTP authentication.

Preconditions

Preconditions for this vulnerability are:

  • The rclone remote control API must be enabled, either by the --rc flag or by running the rclone rcd server
  • The remote control API must be reachable by the attacker - by default rclone only serves the rc to localhost unless the --rc-addr flag is in use
  • The rc must have been deployed without global RC HTTP authentication - so not using --rc-user/--rc-pass/--rc-htpasswd/etc
Details

The root cause consists of the following pieces:

  1. operations/fsinfo is not protected with AuthRequired: true
  2. operations/fsinfo calls rc.GetFs(...) on attacker-controlled input
  3. rc.GetFs(...) supports inline backend creation through object-valued fs
  4. WebDAV backend initialization executes bearer_token_command

Relevant code paths:

  • fs/operations/rc.go

    • operations/fsinfo is registered without AuthRequired: true
    • rcFsInfo() calls rc.GetFs(ctx, in)

  • fs/rc/cache.go

    • GetFs() / GetFsNamed() can parse an object-valued fs
    • getConfigMap() converts attacker-controlled JSON into a backend config string

  • backend/webdav/webdav.go

    • bearer_token_command is a supported backend option
    • NewFs(...) calls fetchAndSetBearerToken() when bearer_token_command is set
    • fetchBearerToken() invokes exec.Command(...)

This creates a practical single-request unauthenticated command-execution primitive on reachable RC servers without global HTTP authentication.

This was alidated on:

  • current master as of 2026-04-14: bf55d5e6d37fd86164a87782191f9e1ffcaafa82
  • latest public release tested locally: v1.73.4

This was also validated on a public amd64 Ubuntu host controlled by the tester, using direct host execution (not containerized PoC execution).

PoC
Minimal single-request form PoC

Start a vulnerable RC server:

rclone rcd --rc-addr 127.0.0.1:5572

No --rc-user, no --rc-pass, no --rc-htpasswd.

Then send a single request:

curl -sS -X POST http://127.0.0.1:5572/operations/fsinfo \
  --data-urlencode "fs=:webdav,url='http://127.0.0.1/',vendor=other,bearer_token_command='/usr/bin/touch /tmp/rclone_fsinfo_rce_poc_marker':"

Expected result:

  • HTTP 200 JSON response from operations/fsinfo
  • /tmp/rclone_fsinfo_rce_poc_marker is created on the host
Impact

This is effectively a single-request unauthenticated command-execution vulnerability on reachable RC deployments without global HTTP authentication.

In practice, command execution in the rclone process context can lead to higher-impact outcomes such as local file read, file write, or shell access, depending on the deployed environment.

Testing performed

This was successfully reproduced:

  • on a local test environment
  • on a public amd64 Ubuntu host controlled by the tester

On the public host it was confirmed:

  • the unauthenticated operations/fsinfo exploit worked
  • command execution occurred on the host
  • the issue was reproducible through direct host execution

Severity

  • CVSS Score: 9.2 / 10 (Critical)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

rclone/rclone (github.com/rclone/rclone)

v1.73.5: rclone v1.73.5

Compare Source

This is the v1.73.5 release of rclone.

Full details of the changes can be found in the changelog.

v1.73.4: rclone v1.73.4

Compare Source

This is the v1.73.4 release of rclone.

Full details of the changes can be found in the changelog.

v1.73.3: rclone v1.73.3

Compare Source

This is the v1.73.3 release of rclone.

Full details of the changes can be found in the changelog.

v1.73.2: rclone v1.73.2

Compare Source

This is the v1.73.2 release of rclone.

Full details of the changes can be found in the changelog.

v1.73.1: rclone v1.73.1

Compare Source

This is the v1.73.1 release of rclone.

Full details of the changes can be found in the changelog.

v1.73.0: rclone v1.73.0

Compare Source

This is the v1.73.0 release of rclone.

Full details of the changes can be found in the changelog.

v1.72.1: rclone v1.72.1

Compare Source

This is the v1.72.1 release of rclone.

Full details of the changes can be found in the changelog.

v1.72.0: rclone v1.72.0

Compare Source

This is the v1.72.0 release of rclone.

Full details of the changes can be found in the changelog.

v1.71.2: rclone v1.71.2

Compare Source

This is the v1.71.2 release of rclone.

Full details of the changes can be found in the changelog.

v1.71.1: rclone v1.71.1

Compare Source

This is the v1.71.1 release of rclone.

Full details of the changes can be found in the changelog.

v1.71.0: rclone v1.71.0

Compare Source

This is the v1.71.0 release of rclone.

Full details of the changes can be found in the changelog.

v1.70.3: rclone v1.70.3

Compare Source

This is the v1.70.3 release of rclone.

Full details of the changes can be found in the changelog.

v1.70.2: rclone v1.70.2

Compare Source

This is the v1.70.2 release of rclone.

Full details of the changes can be found in the changelog.

v1.70.1: rclone v1.70.1

Compare Source

This is the v1.70.1 release of rclone.

Full details of the changes can be found in the changelog.

v1.70.0: rclone v1.70.0

Compare Source

This is the v1.70.0 release of rclone.

Full details of the changes can be found in the changelog.

v1.69.3: rclone v1.69.3

Compare Source

This is the v1.69.3 release of rclone.

Full details of the changes can be found in the changelog.

v1.69.2: rclone v1.69.2

Compare Source

This is the v1.69.2 release of rclone.

Full details of the changes can be found in the changelog.

v1.69.1: rclone v1.69.1

Compare Source

This is the v1.69.1 release of rclone.

Full details of the changes can be found in the changelog.

v1.69.0: rclone v1.69.0

Compare Source

This is the v1.69.0 release of rclone.

Full details of the changes can be found in the changelog.

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate
Copy link
Copy Markdown
Contributor Author

renovate Bot commented Apr 22, 2026

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 49 additional dependencies were updated
  • The go directive was updated for compatibility reasons

Details:

Package Change
go 1.23.4 -> 1.25.0
github.com/minio/minio-go/v7 v7.0.94 -> v7.0.97
github.com/shirou/gopsutil/v4 v4.25.6 -> v4.25.10
github.com/spf13/cobra v1.8.1 -> v1.10.1
golang.org/x/sync v0.12.0 -> v0.20.0
golang.org/x/term v0.30.0 -> v0.40.0
github.com/coreos/go-systemd/v22 v22.5.0 -> v22.6.0
github.com/ebitengine/purego v0.8.4 -> v0.9.1
github.com/gabriel-vasile/mimetype v1.4.8 -> v1.4.11
github.com/go-openapi/errors v0.22.0 -> v0.22.4
github.com/go-openapi/strfmt v0.23.0 -> v0.25.0
github.com/go-playground/validator/v10 v10.26.0 -> v10.28.0
github.com/hashicorp/go-retryablehttp v0.7.7 -> v0.7.8
github.com/klauspost/cpuid/v2 v2.2.10 -> v2.3.0
github.com/minio/crc64nvme v1.0.1 -> v1.1.1
github.com/philhofer/fwd v1.1.3-0.20240916144458-20a13a1f6b7c -> v1.2.0
github.com/pkg/xattr v0.4.10 -> v0.4.12
github.com/tinylib/msgp v1.3.0 -> v1.5.0
go.mongodb.org/mongo-driver v1.17.2 -> v1.17.6
go.opentelemetry.io/auto/sdk v1.1.0 -> v1.2.1
github.com/go-chi/chi/v5 v5.2.0 -> v5.2.5
github.com/go-logr/logr v1.4.2 -> v1.4.3
github.com/klauspost/compress v1.18.0 -> v1.18.1
github.com/lucasb-eyer/go-colorful v1.2.0 -> v1.3.0
github.com/lufia/plan9stats v0.0.0-20240909124753-873cd0166683 -> v0.0.0-20251013123823-9fd1530e3ec3
github.com/mailru/easyjson v0.9.0 -> v0.9.1
github.com/mattn/go-colorable v0.1.13 -> v0.1.14
github.com/mattn/go-runewidth v0.0.16 -> v0.0.19
github.com/prometheus/client_golang v1.20.5 -> v1.23.2
github.com/prometheus/client_model v0.6.1 -> v0.6.2
github.com/prometheus/common v0.61.0 -> v0.67.2
github.com/prometheus/procfs v0.15.1 -> v0.19.2
github.com/sirupsen/logrus v1.9.3 -> v1.9.4-0.20230606125235-dd1b4c2e81af
github.com/spf13/afero v1.11.0 -> v1.15.0
github.com/spf13/pflag v1.0.5 -> v1.0.10
github.com/tklauser/go-sysconf v0.3.14 -> v0.3.15
github.com/tklauser/numcpus v0.9.0 -> v0.10.0
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0 -> v0.63.0
go.opentelemetry.io/otel v1.33.0 -> v1.39.0
go.opentelemetry.io/otel/metric v1.33.0 -> v1.39.0
go.opentelemetry.io/otel/trace v1.33.0 -> v1.39.0
golang.org/x/crypto v0.36.0 -> v0.48.0
golang.org/x/net v0.38.0 -> v0.51.0
golang.org/x/oauth2 v0.25.0 -> v0.34.0
golang.org/x/sys v0.31.0 -> v0.41.0
golang.org/x/text v0.23.0 -> v0.35.0
golang.org/x/time v0.9.0 -> v0.14.0
google.golang.org/genproto/googleapis/rpc v0.0.0-20250106144421-5f5ef82da422 -> v0.0.0-20251202230838-ff82c1b0f217
google.golang.org/grpc v1.69.2 -> v1.79.3
google.golang.org/protobuf v1.36.1 -> v1.36.10

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants