*** This bug is a security vulnerability *** Public security bug reported:
[ Impact ] CVE-2026-41176 describes an authorization bypass in the rclone remote control API, allowing an attacker to disable authentication for protected endpoints. This can enable local file read, credential/config disclosure, filesystem enumeration, and/or command execution. [1] https://ubuntu.com/security/CVE-2026-41176 [2] https://github.com/rclone/rclone/security/advisories/GHSA-25qr-6mpr-f7qx [ Test Plan ] ``` rclone rcd --rc-addr 127.0.0.1:5572 ``` ``` curl -sS -X POST http://127.0.0.1:5572/options/set \ -H 'Content-Type: application/json' \ --data '{"rc":{"NoAuth":true}}' ``` Expected result: - HTTP 403 Actual result: - HTTP 200 Protected endpoint read: ``` curl -sS -X POST http://127.0.0.1:5572/config/listremotes \ -H 'Content-Type: application/json' \ --data '{}' ``` Expected result: - HTTP 403 Actual result: - HTTP 200 [ Where problems could occur ] Upstream 06aa958 sets `AuthRequired: true` for the `options/set` endpoint, which will break any users relying on unauthenticated access to that endpoint. Upstream 0849097 stores a snapshot of the NoAuth option (`--rc-no-auth` [1]) when creating a Server object, which prevents runtime mutation of that option; the change may cause HTTP 403 to requests that used to work if the NoAuth option is expected to be mutable at runtime. [1] https://rclone.org/rc/#rc-no-auth [ Other details ] Upstream fix at [1][2]. [1] https://github.com/rclone/rclone/commit/06aa958ad6fd18ac14b9de9b5066ae09880196b1 [2] https://github.com/rclone/rclone/commit/08490972a53e4e838a594a4ccbe8fbac8c4815e3 ** Affects: rclone (Ubuntu) Importance: Medium Assignee: Wesley Hershberger (whershberger) Status: In Progress ** Affects: rclone (Ubuntu Jammy) Importance: Medium Assignee: Wesley Hershberger (whershberger) Status: In Progress ** Affects: rclone (Ubuntu Noble) Importance: Medium Assignee: Wesley Hershberger (whershberger) Status: In Progress ** Affects: rclone (Ubuntu Questing) Importance: Medium Assignee: Wesley Hershberger (whershberger) Status: In Progress ** Affects: rclone (Ubuntu Resolute) Importance: Medium Assignee: Wesley Hershberger (whershberger) Status: In Progress ** Affects: rclone (Ubuntu Stonking) Importance: Medium Assignee: Wesley Hershberger (whershberger) Status: In Progress ** Also affects: rclone (Ubuntu Questing) Importance: Undecided Status: New ** Also affects: rclone (Ubuntu Stonking) Importance: Undecided Assignee: Wesley Hershberger (whershberger) Status: In Progress ** Also affects: rclone (Ubuntu Resolute) Importance: Undecided Status: New ** Also affects: rclone (Ubuntu Noble) Importance: Undecided Status: New ** Also affects: rclone (Ubuntu Jammy) Importance: Undecided Status: New ** Changed in: rclone (Ubuntu Resolute) Status: New => In Progress ** Changed in: rclone (Ubuntu Questing) Status: New => In Progress ** Changed in: rclone (Ubuntu Noble) Status: New => In Progress ** Changed in: rclone (Ubuntu Jammy) Status: New => In Progress ** Changed in: rclone (Ubuntu Jammy) Importance: Undecided => Medium ** Changed in: rclone (Ubuntu Noble) Importance: Undecided => Critical ** Changed in: rclone (Ubuntu Questing) Importance: Undecided => Medium ** Changed in: rclone (Ubuntu Resolute) Importance: Undecided => Medium ** Changed in: rclone (Ubuntu Stonking) Importance: Undecided => Medium ** Changed in: rclone (Ubuntu Resolute) Assignee: (unassigned) => Wesley Hershberger (whershberger) ** Changed in: rclone (Ubuntu Questing) Assignee: (unassigned) => Wesley Hershberger (whershberger) ** Changed in: rclone (Ubuntu Noble) Importance: Critical => Medium ** Changed in: rclone (Ubuntu Noble) Assignee: (unassigned) => Wesley Hershberger (whershberger) ** Changed in: rclone (Ubuntu Jammy) Assignee: (unassigned) => Wesley Hershberger (whershberger) ** CVE added: https://cve.org/CVERecord?id=CVE-2026-41176 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2152913 Title: CVE-2026-41176 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rclone/+bug/2152913/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
