Detections
Analytics

Rclone 1.45.x < 1.73.5 Authentication Bypass (CVE-2026-41176)

critical Nessus Plugin ID 310056

Synopsis

An application installed on the remote host is affected by an authentication bypass vulnerability.

Description

The version of Rclone installed on the remote host is 1.45.x prior to 1.73.5. It is, therefore, affected by an authentication bypass vulnerability:

 - The RC endpoint options/set is exposed without AuthRequired, but it can mutate global runtime configuration, including the RC option block itself. An unauthenticated attacker can set rc.NoAuth=true, which disables the authorization gate for many RC methods on reachable RC servers started without global HTTP authentication. This can lead to unauthorized access to sensitive administrative functionality. (CVE-2026-41176)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Rclone version 1.73.5 or later.

See Also

http://www.nessus.org/u?c9099663

Plugin Details

Severity: Critical

ID: 310056

File Name: rclone_CVE-2026-41176.nasl

Version: 1.1

Type: Local

Agent: windows, macosx, unix

Family: Misc.

Published: 4/24/2026

Updated: 4/24/2026

Configuration: Enable thorough checks (optional)

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2026-41176

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4

Risk Factor: Critical

Base Score: 9.2

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Vulnerability Information

CPE: cpe:/a:rclone:rclone

Required KB Items: installed_sw/rclone

Patch Publication Date: 4/19/2026

Vulnerability Publication Date: 4/19/2026

Reference Information

CVE: CVE-2026-41176

IAVB: 2026-B-0105