Rclone Release v1.73.5 - IMPORTANT Security Fix
0 views
Skip to first unread message
Rclone Announce
Apr 19, 2026, 8:24:29 AM (4 days ago) Apr 19
Reply to author
Sign in to reply to author
Forward
Sign in to forward
Delete
You do not have permission to delete messages in this group
Copy link
Report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to Rclone Announce
Rclone 1.73.5 has been released. Find it in the rclone downloads or use rclone selfupdate to upgrade.
Release annoucement: https://forum.rclone.org/t/rclone-release-v1-73-5-important-security-fix/53700
This is a security release to fix two CVEs in rclone and a few other small things.
Neptune (@0wnerDied on GitHub) discovered two exploitable vulnerabilities in the rclone rc.
To be vulnerable all 3 of these conditions must be met:
- The rclone remote control API must be enabled, either by the --rc flag or by running the rclone rcd server
- The remote control API must be reachable by the attacker - by default rclone only serves the rc to localhost unless the --rc-addr flag is in use
- The rc must have been deployed without global RC HTTP authentication - so not using --rc-user/--rc-pass/--rc-htpasswd/etc
If these conditions apply to your rclone deployment then upgrade to v1.73.5 or add HTTP auth to the rc, eg --rc-user/--rc-pass or don't expose the rc port to untrusted uers, preferably all 3 - the rclone rc was never designed to be exposed to untrusted users.
More details:
- GHSA-25qr-6mpr-f7qx CVE-2026-41176
- GHSA-jfwf-28xr-xw6q CVE-2026-41179
- Bug Fixes
- operations: Add AuthRequired to operations/fsinfo to prevent backend creation CVE-2026-41179 (Nick Craig-Wood)
- rc
- Add AuthRequired to options/set to prevent auth bypass CVE-2026-41176 (Nick Craig-Wood)
- Snapshot NoAuth at startup to prevent runtime auth bypass CVE-2026-41176 (Nick Craig-Wood)
- filter: Fix debug logs that fire before logger is configured (Nick Craig-Wood)
- Azureblob
- Add Microsoft Partner Network User-Agent prefix (Nick Craig-Wood)
- Drime
- Fix User.EntryPermissions JSON unmarshalling (a1pcm)
- Iclouddrive
- Fix 'directory not found' error when the directory contains accent marks (Brais Couce)
- S3
- Fix TencentCOS CDN endpoint failing on bucket check (Mozi)
- Fix empty delimiter parameter rejected by Archiware P5 server (Nick Craig-Wood)
Reply all
Reply to author
Forward
0 new messages