Nick Craig-Wood
48da1774f4
rc: fix unauthenticated command execution via --rc-serve inline remotes CVE-2026-49980
...
The --rc-serve GET/HEAD file serving path accepted bracketed inline
remotes from the URL and instantiated them, so a single
unauthenticated request could run a command as the rclone user via
backend options such as webdav bearer_token_command or sftp ssh, read
arbitrary local files, or change process-wide config via global.*
options.
This was the GET/HEAD equivalent of the POST hole fixed for
CVE-2026-41179, which only guarded the rc call dispatch path.
Now, unless the rc server has authentication configured or
--rc-no-auth is set, the serve path only allows remotes already
present in the config file: inline remotes, connection string
parameters and bare local paths are rejected. Connection string
global.* options are never honoured on the serve path, even when
authenticated.
See: GHSA-qw24-gh76-8rvv
(cherry picked from commit 2326ea79f7 )
2026-06-05 15:22:03 +01:00
..
2026-05-22 17:11:48 +01:00
2026-04-02 16:32:54 +01:00
2026-05-01 14:06:11 +01:00
2026-04-02 16:32:54 +01:00
2026-04-02 16:32:54 +01:00
2026-04-02 16:32:54 +01:00
2026-05-01 12:46:46 +01:00
2026-05-01 15:56:56 +01:00
2026-04-24 18:21:22 +01:00
2026-05-22 12:48:37 +01:00
2026-04-13 16:45:00 +01:00
2026-05-22 17:11:48 +01:00
2026-04-02 16:32:54 +01:00
2025-07-21 20:23:16 +02:00
2026-04-02 16:32:54 +01:00
2026-05-22 17:11:48 +01:00
2026-04-02 16:32:54 +01:00
2026-04-02 16:32:54 +01:00
2026-04-02 16:32:54 +01:00
2026-04-02 16:32:54 +01:00
2025-08-26 12:04:00 +02:00
2026-04-02 16:32:54 +01:00
2025-11-01 15:52:41 +01:00
2026-05-22 12:48:37 +01:00
2026-04-02 16:32:54 +01:00
2026-03-28 12:29:53 +00:00
2026-05-08 15:15:36 +01:00
2026-05-22 12:48:37 +01:00
2026-04-02 16:32:54 +01:00
2026-01-23 16:55:52 +00:00
2026-04-02 16:32:54 +01:00
2026-04-02 16:32:54 +01:00
2026-05-01 15:56:56 +01:00
2026-05-01 15:56:56 +01:00
2026-04-02 16:32:54 +01:00
2025-11-01 15:33:38 +01:00
2026-05-22 17:11:48 +01:00
2026-04-02 16:32:54 +01:00
2026-04-02 16:32:54 +01:00
2026-04-02 16:32:54 +01:00
2026-04-02 16:32:54 +01:00
2026-05-01 12:46:46 +01:00
2026-04-02 16:32:54 +01:00
2026-04-02 16:32:54 +01:00
2026-04-02 16:32:54 +01:00
2026-04-02 16:32:54 +01:00
2026-05-01 15:56:56 +01:00
2026-05-01 15:56:56 +01:00
2026-04-02 16:32:54 +01:00
2026-02-18 11:33:48 +00:00
2023-11-28 19:10:04 +00:00
2026-04-02 16:32:54 +01:00
2026-05-01 15:56:56 +01:00
2026-05-22 12:48:37 +01:00
2023-09-11 12:28:23 +01:00
2026-04-02 16:32:54 +01:00
2025-07-21 20:23:16 +02:00
2026-05-01 15:56:56 +01:00
2026-04-02 17:57:02 +01:00
2026-04-02 16:32:54 +01:00
2026-04-02 16:32:54 +01:00
2026-04-02 16:32:54 +01:00
2026-04-02 16:32:54 +01:00
2026-04-02 16:32:54 +01:00
2026-04-02 16:32:54 +01:00
2026-04-21 21:06:49 +02:00
2026-04-02 16:32:54 +01:00
2026-05-01 15:56:56 +01:00
2026-04-02 16:32:54 +01:00
2026-04-02 16:32:54 +01:00
2025-10-14 16:24:07 +01:00
2026-05-01 15:56:56 +01:00
2026-04-02 16:32:54 +01:00
2026-04-02 16:32:54 +01:00
2026-04-02 16:32:54 +01:00
2026-06-05 15:22:03 +01:00
2025-11-01 15:33:38 +01:00
2025-11-01 18:54:19 +01:00
2026-05-22 17:11:48 +01:00
2026-04-02 16:32:54 +01:00
2026-04-02 16:32:54 +01:00
2026-04-02 16:32:54 +01:00
2026-04-02 16:32:54 +01:00
2026-04-02 16:32:54 +01:00
2026-04-02 16:32:54 +01:00
2026-05-08 15:07:27 +01:00
2026-04-02 16:32:54 +01:00
2026-04-02 16:32:54 +01:00
2026-04-02 16:32:54 +01:00
2026-01-30 17:08:44 +00:00
2026-04-02 16:32:54 +01:00
2026-04-02 16:32:54 +01:00
2026-04-02 16:32:54 +01:00
2026-04-02 16:32:54 +01:00
2026-04-02 16:32:54 +01:00