The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-41179

CVE-2026-41179: Rclone RC Endpoint RCE Vulnerability

CVE-2026-41179 is a remote code execution flaw in Rclone that allows unauthenticated attackers to execute commands via the RC endpoint. This post covers technical details, affected versions, impact, and mitigation.

Published: April 23, 2026

CVE-2026-41179 Overview

CVE-2026-41179 is a critical command injection vulnerability in Rclone, a widely-used command-line program for synchronizing files and directories across different cloud storage providers. The vulnerability affects the Remote Control (RC) endpoint operations/fsinfo, which is exposed without proper authentication requirements.

Starting in version 1.48.0 and prior to version 1.73.5, the RC endpoint accepts attacker-controlled fs input without requiring authentication. Because rc.GetFs(...) supports inline backend definitions, an unauthenticated attacker can instantiate an attacker-controlled backend on demand. When targeting the WebDAV backend specifically, the bearer_token_command parameter is executed during backend initialization, enabling single-request unauthenticated local command execution on reachable RC deployments that lack global HTTP authentication.

Critical Impact

Unauthenticated remote attackers can achieve arbitrary command execution on systems running vulnerable Rclone RC deployments without global HTTP authentication configured.

Affected Products

  • Rclone versions 1.48.0 through 1.73.4
  • Systems with exposed RC endpoints without global HTTP authentication
  • Deployments using the WebDAV backend configuration

Discovery Timeline

  • April 23, 2026 - CVE-2026-41179 published to NVD
  • April 23, 2026 - Last updated in NVD database

Technical Details for CVE-2026-41179

Vulnerability Analysis

This vulnerability represents a classic CWE-78 (OS Command Injection) flaw stemming from insufficient access control on a sensitive API endpoint. The RC (Remote Control) interface in Rclone provides programmatic access to various file system operations, and the operations/fsinfo endpoint was inadvertently exposed without the AuthRequired: true flag.

The core issue lies in how Rclone's filesystem initialization handles inline backend definitions. When an attacker crafts a malicious request targeting the operations/fsinfo endpoint with a specially crafted fs parameter, the rc.GetFs(...) function processes this input and attempts to instantiate the specified backend. For WebDAV backends, the bearer_token_command option specifies an external command to retrieve authentication tokens—a legitimate feature that becomes dangerous when controlled by an attacker.

This vulnerability enables network-based attacks with no user interaction required, allowing complete system compromise through arbitrary command execution in the context of the Rclone process.

Root Cause

The root cause of CVE-2026-41179 is the missing authentication requirement on the operations/fsinfo RC endpoint combined with the powerful inline backend definition feature. The endpoint was registered without AuthRequired: true, allowing unauthenticated access to functionality that can trigger command execution through backend initialization.

The WebDAV backend's bearer_token_command feature, designed for legitimate authentication token retrieval, becomes an exploitation vector when an attacker can control the backend configuration through the unauthenticated endpoint.

Attack Vector

The attack exploits the network-accessible RC interface through a single HTTP request. An attacker sends a crafted POST request to the operations/fsinfo endpoint with a malicious fs parameter that defines an inline WebDAV backend configuration. This configuration includes a bearer_token_command set to the attacker's desired command.

When Rclone processes this request:

  1. The rc.GetFs(...) function parses the inline backend definition
  2. A new WebDAV backend instance is created with the attacker-specified configuration
  3. During backend initialization, bearer_token_command is executed
  4. The attacker's command runs with the privileges of the Rclone process

The attack requires no prior authentication and can be executed with a single HTTP request against any exposed RC endpoint lacking global HTTP authentication. Technical implementation details can be found in the GitHub Security Advisory GHSA-jfwf-28xr-xw6q and the relevant source files including rc.go and webdav.go.

Detection Methods for CVE-2026-41179

Indicators of Compromise

  • Unexpected HTTP POST requests to /operations/fsinfo endpoint from external IP addresses
  • Rclone RC access logs showing requests with inline WebDAV backend definitions containing bearer_token_command
  • Unusual child processes spawned by the Rclone process
  • Suspicious command executions in the context of the user running Rclone

Detection Strategies

  • Monitor network traffic for HTTP POST requests to Rclone RC endpoints (/operations/fsinfo) from untrusted sources
  • Implement log analysis rules to detect requests containing webdav backend strings with bearer_token_command parameters
  • Deploy endpoint detection rules for unusual process trees originating from Rclone processes
  • Use SentinelOne's behavioral AI to detect command injection patterns and unexpected command execution

Monitoring Recommendations

  • Enable verbose logging on Rclone RC deployments to capture all incoming requests
  • Configure SIEM alerts for access to sensitive RC endpoints from external networks
  • Monitor system call activity for Rclone processes using EDR solutions
  • Implement network segmentation to restrict RC endpoint access to authorized internal systems only

How to Mitigate CVE-2026-41179

Immediate Actions Required

  • Upgrade Rclone to version 1.73.5 or later immediately
  • If immediate patching is not possible, enable global HTTP authentication on all RC deployments using --rc-user and --rc-pass flags
  • Restrict network access to RC endpoints using firewall rules
  • Audit existing Rclone deployments for exposure to untrusted networks

Patch Information

The vulnerability is patched in Rclone version 1.73.5. The fix adds proper authentication requirements to the operations/fsinfo endpoint by including AuthRequired: true in the endpoint registration. Organizations should upgrade to version 1.73.5 or later to remediate this vulnerability. For detailed patch information, refer to the GitHub Security Advisory.

Workarounds

  • Enable HTTP authentication on the RC interface with --rc-user=<username> --rc-pass=<password> flags
  • Bind the RC interface to localhost only using --rc-addr=127.0.0.1:5572 if remote access is not required
  • Implement network-level access controls to restrict RC endpoint access to trusted IP addresses
  • Consider disabling the RC interface entirely if not actively required for operations
bash
# Secure Rclone RC configuration example
# Enable authentication and bind to localhost only
rclone rcd --rc-addr=127.0.0.1:5572 --rc-user=admin --rc-pass=StrongPassword123!

# Alternative: Use HTTPS with authentication
rclone rcd --rc-addr=:5572 --rc-user=admin --rc-pass=StrongPassword123! --rc-cert=/path/to/cert.pem --rc-key=/path/to/key.pem

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeRCE
  • Vendor/TechRclone
  • SeverityCRITICAL
  • CVSS Score9.2
  • EPSS Probability0.07%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-78
  • Technical References
  • GitHub WebDAV Go Backend
  • GitHub RC Operations Go
  • GitHub RC Cache Go
  • GitHub Security Advisory GHSA-jfwf-28xr-xw6q
  • Related CVEs
  • CVE-2026-41176: Rclone Auth Bypass Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English