*** This bug is a security vulnerability *** Public security bug reported:
[ Impact ] CVE-2026-41179 describes a remote-code-execution vulnerability for unauthenticated users of the rclone remote control API without global HTTP authentication. [1] https://ubuntu.com/security/CVE-2026-41179 [2] https://github.com/rclone/rclone/security/advisories/GHSA-jfwf-28xr-xw6q [ Test Plan ] ``` rclone rcd --rc-addr 127.0.0.1:5572 curl -sS -X POST http://127.0.0.1:5572/operations/fsinfo \ --data-urlencode "fs=:webdav,url='http://127.0.0.1/',vendor=other,bearer_token_command='/usr/bin/touch /tmp/rclone_fsinfo_rce_poc_marker':" ``` Expected result: - HTTP 403 Actual result: - HTTP 200 JSON response from operations/fsinfo - /tmp/rclone_fsinfo_rce_poc_marker is created on the host [ Where problems could occur ] The upstream fix adds `AuthRequired: true` to the endpoint configuration for the `operations/fsinfo` endpoint, which will break any users relying on unauthenticated access to that endpoint. [ Other details ] The POC used in the GHSA for this CVE uses rclone backend connection strings, which were first implemented in rclone 1.55 [1]. Prior to 1.55, it wasn't possible to provide configuration options (such as `bearer_token_command` via the API, so versions prior to 1.55 are not affected). Upstream fix at [2]. [1] https://github.com/rclone/rclone/issues/4996 [2] https://github.com/rclone/rclone/commit/9e3e68d00c3ecf475a1432fc206400cfb4df7e3f ** Affects: rclone (Ubuntu) Importance: Medium Assignee: Wesley Hershberger (whershberger) Status: In Progress ** Affects: rclone (Ubuntu Jammy) Importance: Undecided Status: Invalid ** Affects: rclone (Ubuntu Noble) Importance: Medium Assignee: Wesley Hershberger (whershberger) Status: In Progress ** Affects: rclone (Ubuntu Questing) Importance: Medium Assignee: Wesley Hershberger (whershberger) Status: In Progress ** Affects: rclone (Ubuntu Resolute) Importance: Medium Assignee: Wesley Hershberger (whershberger) Status: In Progress ** Affects: rclone (Ubuntu Stonking) Importance: Medium Assignee: Wesley Hershberger (whershberger) Status: In Progress ** Also affects: rclone (Ubuntu Noble) Importance: Undecided Status: New ** Also affects: rclone (Ubuntu Jammy) Importance: Undecided Status: New ** Also affects: rclone (Ubuntu Questing) Importance: Undecided Status: New ** Also affects: rclone (Ubuntu Stonking) Importance: Medium Assignee: Wesley Hershberger (whershberger) Status: In Progress ** Also affects: rclone (Ubuntu Resolute) Importance: Undecided Status: New ** Changed in: rclone (Ubuntu Jammy) Status: New => Invalid ** Changed in: rclone (Ubuntu Noble) Status: New => In Progress ** Changed in: rclone (Ubuntu Questing) Status: New => In Progress ** Changed in: rclone (Ubuntu Resolute) Status: New => In Progress ** Changed in: rclone (Ubuntu Resolute) Importance: Undecided => Medium ** Changed in: rclone (Ubuntu Questing) Importance: Undecided => Medium ** Changed in: rclone (Ubuntu Noble) Importance: Undecided => Medium ** Changed in: rclone (Ubuntu Resolute) Assignee: (unassigned) => Wesley Hershberger (whershberger) ** Changed in: rclone (Ubuntu Questing) Assignee: (unassigned) => Wesley Hershberger (whershberger) ** Changed in: rclone (Ubuntu Noble) Assignee: (unassigned) => Wesley Hershberger (whershberger) ** CVE added: https://cve.org/CVERecord?id=CVE-2026-41179 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2152914 Title: CVE-2026-41179 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rclone/+bug/2152914/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
