{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-49980", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-06-02T18:30:51.282Z", "datePublished": "2026-06-24T17:52:33.024Z", "dateUpdated": "2026-06-29T12:34:18.288Z"}, "containers": {"cna": {"title": "Rclone: Unauthenticated command execution in `rclone rcd --rc-serve` via inline remote instantiation, bypassing CVE-2026-41179 fix", "problemTypes": [{"descriptions": [{"cweId": "CWE-306", "lang": "en", "description": "CWE-306: Missing Authentication for Critical Function", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/rclone/rclone/security/advisories/GHSA-qw24-gh76-8rvv", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/rclone/rclone/security/advisories/GHSA-qw24-gh76-8rvv"}], "affected": [{"vendor": "rclone", "product": "rclone", "versions": [{"version": ">= 1.46.0, < 1.74.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-06-24T17:52:33.024Z"}, "descriptions": [{"lang": "en", "value": "Rclone is a command-line program to sync files and directories to and from different cloud storage providers. From 1.46.0 until 1.74.3, rclone rcd --rc-serve accepts unauthenticated GET and HEAD requests to paths of the form: /[remote:path]/object. The remote value is parsed from the URL and passed to normal backend initialization. Inline remote configuration can set backend options that execute local commands during initialization. As a result, a single unauthenticated GET or HEAD request can execute a command as the rclone process user. This vulnerability is fixed in 1.74.3."}], "source": {"advisory": "GHSA-qw24-gh76-8rvv", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-25T03:55:52.875291Z", "id": "CVE-2026-49980", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-25T13:45:32.126Z"}}, {"affected": [{"cpes": ["cpe:/a:redhat:openshift_api_data_protection:1"], "defaultStatus": "unaffected", "product": "OpenShift API for Data Protection", "vendor": "Red Hat"}, {"cpes": ["cpe:/a:redhat:acm:2"], "defaultStatus": "unaffected", "product": "Red Hat Advanced Cluster Management for Kubernetes 2", "vendor": "Red Hat"}, {"cpes": ["cpe:/a:redhat:cryostat:4"], "defaultStatus": "unknown", "product": "Cryostat 4", "vendor": "Red Hat"}], "datePublic": "2026-06-24T17:52:33.024Z", "descriptions": [{"lang": "en", "value": "A flaw was found in Rclone, a command-line program for cloud storage synchronization. When the `rcd --rc-serve` option is enabled, an unauthenticated remote attacker can send specially crafted GET or HEAD requests to execute arbitrary commands as the Rclone process user. This vulnerability allows for remote code execution, potentially compromising the system where Rclone is running."}], "metrics": [{"other": {"content": {"namespace": "https://access.redhat.com/security/updates/classification/", "value": "Critical"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS"}], "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "description": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "lang": "en", "type": "CWE"}]}], "references": [{"tags": ["vdb-entry", "x_refsource_REDHAT"], "url": "https://access.redhat.com/security/cve/CVE-2026-49980"}, {"name": "RHBZ#2492478", "tags": ["issue-tracking", "x_refsource_REDHAT"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2492478"}, {"tags": ["x_sadp-csaf-vex"], "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-49980.json"}], "timeline": [{"lang": "en", "time": "2026-06-24T19:01:27.946Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-06-24T17:52:33.024Z", "value": "Made public."}], "title": "github.com/rclone/rclone: Rclone: Remote Code Execution via unauthenticated requests when `rcd --rc-serve` is enabled", "x_adpType": "supplier", "x_generator": {"engine": "sadp-cli 1.0.0"}, "providerMetadata": {"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c", "shortName": "redhat-SADP", "dateUpdated": "2026-06-29T12:34:18.288Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "github.com/rclone/rclone: Rclone: Remote Code Execution via unauthenticated requests when `rcd --rc-serve` is enabled", "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Critical", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"cpes": ["cpe:/a:redhat:openshift_api_data_protection:1"], "vendor": "Red Hat", "product": "OpenShift API for Data Protection", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:acm:2"], "vendor": "Red Hat", "product": "Red Hat Advanced Cluster Management for Kubernetes 2", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:cryostat:4"], "vendor": "Red Hat", "product": "Cryostat 4", "defaultStatus": "unknown"}], "timeline": [{"lang": "en", "time": "2026-06-24T19:01:27.946Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-06-24T17:52:33.024Z", "value": "Made public."}], "x_adpType": "supplier", "datePublic": "2026-06-24T17:52:33.024Z", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-49980", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2492478", "name": "RHBZ#2492478", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-49980.json", "tags": ["x_sadp-csaf-vex"]}], "x_generator": {"engine": "sadp-cli 1.0.0"}, "descriptions": [{"lang": "en", "value": "A flaw was found in Rclone, a command-line program for cloud storage synchronization. When the `rcd --rc-serve` option is enabled, an unauthenticated remote attacker can send specially crafted GET or HEAD requests to execute arbitrary commands as the Rclone process user. This vulnerability allows for remote code execution, potentially compromising the system where Rclone is running."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c", "shortName": "redhat-SADP", "dateUpdated": "2026-06-29T12:34:18.288Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-49980", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-06-25T03:55:52.875291Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-25T13:45:29.353Z"}}], "cna": {"title": "Rclone: Unauthenticated command execution in `rclone rcd --rc-serve` via inline remote instantiation, bypassing CVE-2026-41179 fix", "source": {"advisory": "GHSA-qw24-gh76-8rvv", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "rclone", "product": "rclone", "versions": [{"status": "affected", "version": ">= 1.46.0, < 1.74.3"}]}], "references": [{"url": "https://github.com/rclone/rclone/security/advisories/GHSA-qw24-gh76-8rvv", "name": "https://github.com/rclone/rclone/security/advisories/GHSA-qw24-gh76-8rvv", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Rclone is a command-line program to sync files and directories to and from different cloud storage providers. From 1.46.0 until 1.74.3, rclone rcd --rc-serve accepts unauthenticated GET and HEAD requests to paths of the form: /[remote:path]/object. The remote value is parsed from the URL and passed to normal backend initialization. Inline remote configuration can set backend options that execute local commands during initialization. As a result, a single unauthenticated GET or HEAD request can execute a command as the rclone process user. This vulnerability is fixed in 1.74.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-306", "description": "CWE-306: Missing Authentication for Critical Function"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-06-24T17:52:33.024Z"}}}, "cveMetadata": {"cveId": "CVE-2026-49980", "state": "PUBLISHED", "dateUpdated": "2026-06-29T12:34:18.288Z", "dateReserved": "2026-06-02T18:30:51.282Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-06-24T17:52:33.024Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{}

{"bugzilla": {"description": "github.com/rclone/rclone: Rclone: Remote Code Execution via unauthenticated requests when `rcd --rc-serve` is enabled", "id": "2492478", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2492478"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-78", "details": ["A flaw was found in Rclone, a command-line program for cloud storage synchronization. When the `rcd --rc-serve` option is enabled, an unauthenticated remote attacker can send specially crafted GET or HEAD requests to execute arbitrary commands as the Rclone process user. This vulnerability allows for remote code execution, potentially compromising the system where Rclone is running."], "mitigation": {"lang": "en:us", "value": "Until upgraded:\n1. Stop using --rc-serve\n2. Add RC auth (--rc-user + --rc-pass or --rc-htpasswd), and\n3. Keep RC on localhost only (do not bind 0.0.0.0 without auth)"}, "name": "CVE-2026-49980", "package_state": [{"cpe": "cpe:/a:redhat:cryostat:4", "fix_state": "Under investigation", "package_name": "cryostat/cryostat-storage-rhel9", "product_name": "Cryostat 4"}, {"cpe": "cpe:/a:redhat:openshift_api_data_protection:1", "fix_state": "Not affected", "package_name": "oadp/oadp-mustgather-rhel9", "product_name": "OpenShift API for Data Protection"}, {"cpe": "cpe:/a:redhat:openshift_api_data_protection:1", "fix_state": "Not affected", "package_name": "oadp/oadp-velero-restic-restore-helper-rhel9", "product_name": "OpenShift API for Data Protection"}, {"cpe": "cpe:/a:redhat:openshift_api_data_protection:1", "fix_state": "Not affected", "package_name": "oadp/oadp-velero-rhel9", "product_name": "OpenShift API for Data Protection"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/volsync-operator-bundle", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/volsync-rhel9", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}], "public_date": "2026-06-24T17:52:33Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-49980\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-49980\nhttps://github.com/rclone/rclone/security/advisories/GHSA-qw24-gh76-8rvv"], "statement": "OpenShift API for Data Protection (OADP) and Red Hat Advanced Cluster Management for Kubernetes (RHACM) do not run rclone rcd --rc-serve with an unauthenticated RC listener. OADP relies on Restic (rclone serve restic --stdio) and Kopia (WebDAV serve with RC authentication), while RHACM VolSync uses rclone sync/copy or only compile-time dependencies.", "threat_severity": "Critical"}