Two critical vulnerabilities (CVE-2026-41176 and CVE-2026-41179, both CVSS 9.8) in Rclone's remote control API allow for information disclosure and remote code execution via improper authorization and backend instantiation handling. Affected versions are rclone 1.45 through 1.73.4 for CVE-2026-41176 and rclone 1.48.0 through 1.73.4 for CVE-2026-41179. The fix requires upgrading to rclone version 1.73.5.
It was discovered that Rclone incorrectly handled authorization in the remote control API. An attacker could possibly use this issue to obtain sensitive information. (CVE-2026-41176) It was discovered that Rclone incorrectly handled backend instantiation via the remote control API. An attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 24.04 LTS, Ubuntu 25.10 and Ubuntu 26.04 LTS. (CVE-2026-41179)