CVE-2026-59733

rclone · rclone

Rclone is susceptible to path traversal and authorization bypass vulnerabilities that may allow an authenticated user to access or manipulate restricted files.

Executive summary

A high severity path traversal and authorization bypass vulnerability in rclone, version 1.74.4 and earlier, poses a significant risk of unauthorized file system access.

Vulnerability

This vulnerability involves improper limitation of a pathname to a restricted directory (CWE-22) and authorization bypass via user-controlled keys (CWE-639). These flaws allow an authenticated attacker to perform path traversal and bypass intended access controls.

Business impact

The ability to traverse directories and bypass authorization controls presents a critical risk to data confidentiality and integrity. If exploited, an attacker could potentially read, modify, or delete sensitive files stored within the cloud storage environments managed by rclone, leading to significant data loss or unauthorized exposure. With a CVSS score of 8.8, this vulnerability is considered a high priority for remediation.

Remediation

Immediate Action: Update rclone to version 1.74.4 or later to apply the necessary security patches.

Proactive Monitoring: Review rclone access logs for unusual patterns, such as directory traversal sequences or unauthorized attempts to access paths outside of designated synchronization folders.

Compensating Controls: Implement strict identity and access management (IAM) policies on the cloud storage providers being synced to ensure that the service account used by rclone has the least privilege necessary.

Exploitation status

Public Exploit Available: No confirmed public exploit (weaponized or otherwise) is available in the provided data.

Analyst recommendation

Given the potential for unauthorized file access, it is imperative that users upgrade their rclone installations to version 1.74.4 immediately. Organizations should prioritize this update to prevent potential exploitation and ensure the continued security of their cloud storage assets.