Source: rclone Version: 1.69.3+dfsg-3 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for rclone. CVE-2026-49980[0]: | Rclone is a command-line program to sync files and directories to | and from different cloud storage providers. From 1.46.0 until | 1.74.3, rclone rcd --rc-serve accepts unauthenticated GET and HEAD | requests to paths of the form: /[remote:path]/object. The remote | value is parsed from the URL and passed to normal backend | initialization. Inline remote configuration can set backend options | that execute local commands during initialization. As a result, a | single unauthenticated GET or HEAD request can execute a command as | the rclone process user. This vulnerability is fixed in 1.74.3. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-49980 https://www.cve.org/CVERecord?id=CVE-2026-49980 [1] https://github.com/rclone/rclone/security/advisories/GHSA-qw24-gh76-8rvv Please adjust the affected versions in the BTS as needed. Regards, Salvatore
