CVE-2026-41176
Publication date 23 April 2026
Last updated 2 June 2026
Ubuntu priority
Description
Rclone is a command-line program to sync files and directories to and from different cloud storage providers. The RC endpoint `options/set` is exposed without `AuthRequired: true`, but it can mutate global runtime configuration, including the RC option block itself. Starting in version 1.45.0 and prior to version 1.73.5, an unauthenticated attacker can set `rc.NoAuth=true`, which disables the authorization gate for many RC methods registered with `AuthRequired: true` on reachable RC servers that are started without global HTTP authentication. This can lead to unauthorized access to sensitive administrative functionality, including configuration and operational RC methods. Version 1.73.5 patches the issue.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| rclone | 26.04 LTS resolute |
Fixed 1.60.1+dfsg-4ubuntu3.1
|
| 25.10 questing |
Fixed 1.60.1+dfsg-4ubuntu2.1
|
|
| 24.04 LTS noble |
Fixed 1.60.1+dfsg-3ubuntu0.24.04.5
|
|
| 22.04 LTS jammy |
Fixed 1.53.3-4ubuntu1.22.04.4
|
|
| 20.04 LTS focal |
Fixed 1.50.2-2ubuntu0.2+esm1
|
|
| 18.04 LTS bionic |
Not affected
|
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu Pro 30-day free trialSeverity score breakdown
| Parameter | Value |
|---|---|
| Base score |
9.8 · Critical
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-8299-1
- Rclone vulnerabilities
- 25 May 2026