Remote Code Execution via unauthenticated requests when `rcd --rc-serve` is enabled
Summary
Rclone is a command-line program to sync files and directories to and from different cloud storage providers. From 1.46.0 until 1.74.3, rclone rcd --rc-serve accepts unauthenticated GET and HEAD requests to paths of the form: /[remote:path]/object. The remote value is parsed from the URL and passed to normal backend initialization. Inline remote configuration can set backend options that execute local commands during initialization. As a result, a single unauthenticated GET or HEAD request can execute a command as the rclone process user. This vulnerability is fixed in 1.74.3. A flaw was found in Rclone, a command-line program for cloud storage synchronization. When the `rcd --rc-serve` option is enabled, an unauthenticated remote attacker can send specially crafted GET or HEAD requests to execute arbitrary commands as the Rclone process user. This vulnerability allows for remote code execution, potentially compromising the system where Rclone is running. OpenShift API for Data Protection (OADP) and Red Hat Advanced Cluster Management for Kubernetes (RHACM) do not run rclone rcd --rc-serve with an unauthenticated RC listener. OADP relies on Restic (rclone serve restic --stdio) and Kopia (WebDAV serve with RC authentication), while RHACM VolSync uses rclone sync/copy or only compile-time dependencies. Red Hat severity: Important — CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Weakness: CWE-78. No fixing RHSA erratum has published yet; monitor the Red Hat CVE page and patch when it ships.
Mitigation checklist
- Until upgraded: 1. Stop using --rc-serve 2. Add RC auth (--rc-user + --rc-pass or --rc-htpasswd), and 3. Keep RC on localhost only (do not bind 0.0.0.0 without auth)
Official advisory · high-confidence parse· fetched 6 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.