Files
rclone/docs/content
Nick Craig-Wood 48da1774f4 rc: fix unauthenticated command execution via --rc-serve inline remotes CVE-2026-49980
The --rc-serve GET/HEAD file serving path accepted bracketed inline
remotes from the URL and instantiated them, so a single
unauthenticated request could run a command as the rclone user via
backend options such as webdav bearer_token_command or sftp ssh, read
arbitrary local files, or change process-wide config via global.*
options.

This was the GET/HEAD equivalent of the POST hole fixed for
CVE-2026-41179, which only guarded the rc call dispatch path.

Now, unless the rc server has authentication configured or
--rc-no-auth is set, the serve path only allows remotes already
present in the config file: inline remotes, connection string
parameters and bare local paths are rejected. Connection string
global.* options are never honoured on the serve path, even when
authenticated.

See: GHSA-qw24-gh76-8rvv
(cherry picked from commit 2326ea79f7)
2026-06-05 15:22:03 +01:00
..
2026-05-22 17:11:48 +01:00
2026-05-01 14:06:11 +01:00
2026-05-01 12:46:46 +01:00
2026-05-01 15:56:56 +01:00
2026-05-22 17:11:48 +01:00
2026-04-02 16:32:54 +01:00
2026-05-22 17:11:48 +01:00
2026-05-22 12:48:37 +01:00
2026-04-02 16:32:54 +01:00
2026-05-08 15:15:36 +01:00
2026-01-23 16:55:52 +00:00
2026-05-01 15:56:56 +01:00
2026-05-01 15:56:56 +01:00
2026-05-22 17:11:48 +01:00
2026-04-02 16:32:54 +01:00
2026-04-02 16:32:54 +01:00
2026-04-02 16:32:54 +01:00
2026-05-01 15:56:56 +01:00
2026-05-01 15:56:56 +01:00
2026-05-01 15:56:56 +01:00
2026-05-01 15:56:56 +01:00
2026-04-02 16:32:54 +01:00
2026-04-21 21:06:49 +02:00
2026-05-01 15:56:56 +01:00
2026-05-01 15:56:56 +01:00
2026-05-22 17:11:48 +01:00
2026-04-02 16:32:54 +01:00
2026-04-02 16:32:54 +01:00
2026-04-02 16:32:54 +01:00
2026-05-08 15:07:27 +01:00
2026-04-02 16:32:54 +01:00