Rclone versions 1.46.0 through 1.74.2 are susceptible to an unauthenticated Remote Code Execution vulnerability that permits full system compromise via a single network request.

The vulnerability stems from improper handling of the rcd remote control interface, which accepts unauthenticated requests that can be crafted to include inline remote configuration options. These options are parsed during backend initialization and can be leveraged to execute arbitrary local commands as the rclone process user.

This vulnerability carries a CVSS score of 9.8, reflecting its ability to be exploited remotely without authentication. Successful exploitation grants an attacker the ability to execute commands with the privileges of the Rclone process, leading to potential data exfiltration from connected cloud storage or complete host system takeover.

Immediate Action: Upgrade to Rclone version 1.74.3 or later to apply the necessary security fixes to the remote control interface.

Proactive Monitoring: Inspect network traffic for unauthorized GET or HEAD requests targeting the Rclone rcd endpoint, particularly those containing suspicious path parameters.

Compensating Controls: Disable the rcd feature if not required for operations, or restrict access to the remote control interface using IP whitelisting and network-level access controls.

Public Exploit Available: No

Given the ease of exploitation and the critical nature of the impact, immediate remediation is required. Organizations running Rclone with the remote control daemon enabled must update to version 1.74.3 or ensure the service is not exposed to untrusted networks.