CVE-2026-41176 Overview
CVE-2026-41176 is a critical authentication bypass vulnerability in Rclone, a command-line program used to sync files and directories to and from different cloud storage providers. The vulnerability exists in the Remote Control (RC) endpoint options/set, which is exposed without the AuthRequired: true flag despite having the capability to mutate global runtime configuration, including the RC option block itself.
Starting in version 1.45.0 and prior to version 1.73.5, an unauthenticated attacker can exploit this flaw by setting rc.NoAuth=true, which effectively disables the authorization gate for many RC methods that were registered with AuthRequired: true. This vulnerability affects reachable RC servers that are started without global HTTP authentication enabled, allowing unauthorized access to sensitive administrative functionality including configuration and operational RC methods.
Critical Impact
Unauthenticated attackers can bypass authentication controls to gain access to administrative RC methods, potentially leading to unauthorized configuration changes, data exfiltration, and full compromise of the Rclone service and connected cloud storage backends.
Affected Products
- Rclone versions 1.45.0 through 1.73.4
- Rclone RC servers running without global HTTP authentication
- Any system with exposed Rclone RC endpoints accessible over the network
Discovery Timeline
- April 23, 2026 - CVE-2026-41176 published to NVD
- April 23, 2026 - Last updated in NVD database
Technical Details for CVE-2026-41176
Vulnerability Analysis
This vulnerability is classified as CWE-306 (Missing Authentication for Critical Function). The core issue lies in the improper access control implementation within the Rclone RC server architecture. The options/set endpoint allows modification of runtime configuration parameters without requiring authentication, even though it can alter security-critical settings.
The vulnerability is particularly dangerous because the RC subsystem allows dynamic configuration changes at runtime. When an attacker successfully sets rc.NoAuth=true through the unprotected options/set endpoint, it cascades to affect all other RC methods that rely on the AuthRequired flag for access control. This creates a situation where a single unauthenticated request can compromise the entire security model of the RC server.
The network-accessible nature of the attack vector means that any Rclone RC server exposed to untrusted networks without additional authentication mechanisms is at risk. The attack requires no privileges, no user interaction, and can be performed with low complexity, making it highly exploitable in real-world scenarios.
Root Cause
The root cause of this vulnerability stems from an inconsistency in the access control model of the Rclone RC server. The options/set endpoint was registered without the AuthRequired: true flag, despite having the capability to modify security-sensitive configuration options. The design assumption that this endpoint would only be used for non-security-critical configuration changes was flawed, as the rc.NoAuth option directly controls the authentication enforcement for other endpoints.
The vulnerable code paths can be traced through the RC configuration handling in fs/rc/config.go and the server authentication logic in fs/rc/rcserver/rcserver.go. The lack of a security boundary between configuration options that affect authentication and those that do not created this exploitable condition.
Attack Vector
The attack is network-based and targets Rclone RC servers that are accessible without global HTTP authentication. An attacker can exploit this vulnerability by:
- Identifying an exposed Rclone RC server (typically running on port 5572)
- Sending a crafted HTTP request to the options/set endpoint to set rc.NoAuth=true
- Once authentication is disabled, accessing any previously protected RC methods
- Leveraging administrative RC methods to modify configurations, access cloud storage credentials, or perform other malicious actions
The attack does not require any prior authentication or special privileges. Once the rc.NoAuth flag is set, the attacker has full access to all RC functionality, including methods that manage cloud storage connections, credentials, and file operations.
For technical implementation details, refer to the GitHub Security Advisory GHSA-25qr-6mpr-f7qx and the relevant source files in the Rclone RC config module and RC server implementation.
Detection Methods for CVE-2026-41176
Indicators of Compromise
- Unexpected HTTP requests to the /rc/options/set endpoint, particularly those containing rc.NoAuth parameter modifications
- Sudden changes in Rclone RC server configuration, especially authentication-related settings
- Unauthorized access to protected RC endpoints from external IP addresses
- Log entries showing successful access to administrative RC methods without proper authentication
- Unusual cloud storage operations initiated through the RC interface from unknown sources
Detection Strategies
- Monitor HTTP access logs for requests to /rc/options/set and /rc/options/get endpoints from untrusted sources
- Implement network intrusion detection rules to identify attempts to modify RC authentication settings
- Deploy application-level monitoring to track changes to the rc.NoAuth configuration parameter
- Establish baseline behavior for RC server access patterns and alert on deviations
Monitoring Recommendations
- Enable verbose logging on Rclone RC servers to capture all endpoint access attempts
- Implement network segmentation to isolate RC servers and monitor cross-segment traffic
- Configure security information and event management (SIEM) rules to correlate RC access patterns with authentication events
- Regularly audit RC server configurations for unauthorized changes to authentication settings
How to Mitigate CVE-2026-41176
Immediate Actions Required
- Upgrade Rclone to version 1.73.5 or later immediately
- Enable global HTTP authentication on all RC servers using the --rc-user and --rc-pass flags
- Restrict network access to RC servers using firewall rules to allow only trusted IP addresses
- Audit existing RC server configurations for any signs of compromise or unauthorized modifications
Patch Information
The vulnerability has been patched in Rclone version 1.73.5. Organizations should upgrade to this version or later to remediate the vulnerability. The patch ensures that the options/set endpoint properly enforces authentication requirements and prevents modification of security-critical configuration options without authorization.
For detailed information about the fix and upgrade instructions, consult the GitHub Security Advisory GHSA-25qr-6mpr-f7qx.
Workarounds
- Configure global HTTP authentication using --rc-user and --rc-pass flags when starting the RC server
- Bind the RC server to localhost only using --rc-addr=127.0.0.1:5572 to prevent external access
- Implement network-level access controls (firewall rules, VPN requirements) to restrict RC server exposure
- Use reverse proxy with authentication in front of RC servers as an additional security layer
# Secure Rclone RC server configuration example
# Enable authentication and bind to localhost only
rclone rcd \
--rc-addr=127.0.0.1:5572 \
--rc-user=admin \
--rc-pass=<strong-password> \
--rc-allow-origin="*"
# Alternatively, use firewall rules to restrict access
# iptables example to allow only trusted IP
iptables -A INPUT -p tcp --dport 5572 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 5572 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
