Unauthenticated Remote Takeover Flaw in Cloud Sync Tool Rclone (CVE-2026-49980) — Update to v1.74.3

Rclone, a standard tool for saving and syncing files to the cloud, has been found to contain a vulnerability (a software flaw) that can be abused remotely without any identity check (authentication). It is tracked as CVE-2026-49980, with a severity of 9.8 out of 10 (Critical), near the very top of the scale.

The affected versions are 1.46.0 through 1.74.2. It was reported by GitHub and disclosed on June 24, 2026. The fix is included in 1.74.3. If you expose Rclone's remote-control daemon (rcd) to the network, an attacker can send a single unauthenticated request and run arbitrary commands on the machine where Rclone runs, so an update is needed right away.

What kind of tool is Rclone?

Rclone is a command-line tool that exchanges files with more than 70 kinds of cloud storage, including Amazon S3, Google Drive, Dropbox, and OneDrive. It can back up and restore to the cloud, migrate data between services, and store data encrypted, and it is nicknamed "the Swiss army knife of cloud storage." It is widely used on Linux, Windows, and Mac, and is included in the official packages of major Linux distributions (types of OS, such as Ubuntu).

This flaw is in Rclone's "remote-control daemon (rcd)." With the rclone rcd command, Rclone can start an API (an access point) for operating Rclone over the network from other programs or a browser. It is convenient for automation and web admin panels, but the way this access point was built had a hole.

Who targets it, what they do, and what happens

At risk are servers or individuals running Rclone's remote-control feature (rcd) reachable from the network without authentication. This applies to setups that keep this access point running to automate backups or manage cloud syncing centrally. Simply placing it where other services can reach it on an internal network or in the cloud can make it a target.

What an attacker does is send a single crafted request to this access point and, without undergoing any identity check, run any command on the machine where Rclone runs. No login or passphrase is required; it works for anyone in a position to reach it with a request, which is what pushes the severity to the top class.

Execution happens with the privileges of the user running Rclone. Because Rclone holds the credentials (keys) to cloud storage, a takeover can lead to stealing or deleting backup data, tampering with stored content, and even expanding intrusion using the same machine as a foothold. A tool meant to protect backups thus becomes an entry point that puts all of that data at risk.

Vulnerabilities that begin to be used in real attacks can be added to the U.S. agency CISA's "list of vulnerabilities under active attack." We maintain a Japanese-language overview in our CISA KEV Dashboard (Japanese edition).

What the vulnerability is

The cause is that an important access point that should have been guarded was missing its identity check.

CVE-2026-49980: arbitrary command execution in a single unauthenticated shot (CVSS 9.8)

According to the published information, Rclone's remote-control server (rcd --rc-serve) accepted unauthenticated GET and HEAD requests to specific URLs. By abusing an "inline configuration" option that writes the connection settings directly into the request, an attacker can execute arbitrary commands with the privileges of the Rclone process. All it takes is one request over the network—no login and no luring the user into any action.

In the fixed version 1.74.3, the handling of this access point was reworked so that critical functions cannot be reached without authentication. This also ties into managing the tools you bring in from outside, and inspecting the packages and services you use is worth revisiting alongside the ideas in our OSS supply-chain scanner overview.

A quick check of whether you are affected

Affected are 1.46.0 through 1.74.2, and it is especially dangerous if you expose the remote-control feature to the network. Check your version with rclone version.

If you do not use the remote-control feature and only run everyday commands like rclone copy, the risk is lower because requests cannot reach the access point from outside. But considering the chance of enabling this feature in the future, updating to 1.74.3 or later is recommended in any case.

What to do now

The top priority is to update Rclone to 1.74.3 or later. Get the latest version from your OS packages or the official downloads page.

If you cannot update immediately, an effective mitigation is to isolate the remote-control feature (rcd) where unknown parties cannot reach it. Concretely: limit the listening range to your own machine (localhost), always require authentication with --rc-user / --rc-pass, and block external connections at the firewall. Also inspect for unfamiliar processes, traffic, or suspicious file operations. In case you have already been compromised, the safe move is to rotate the cloud credentials configured in Rclone after you update.

Summary

Rclone's CVE-2026-49980 is a vulnerability in which the remote-control access point was missing its identity check, allowing arbitrary commands to be run with a single unauthenticated request. Its severity is CVSS 9.8, near the very top, and it affects 1.46.0 through 1.74.2, fixed in 1.74.3.

Because Rclone is a backup linchpin that holds cloud keys, a takeover causes large damage. If you expose the remote-control feature, update as a top priority; even if you do not, update to 1.74.3 or later soon. If new vulnerabilities concerning Rclone emerge, we will track them by adding to this article.

References

• ▸NVD - CVE-2026-49980 (Rclone rcd missing authentication, arbitrary command execution)
• ▸GitHub Security Advisory - GHSA-qw24-gh76-8rvv
• ▸GitHub - rclone/rclone (project, releases)
• ▸Rclone official site (use cases, supported storage)
• ▸Rclone official docs - remote control (rc)
• ▸Rclone downloads (get the latest version)