UBUNTU-CVE-2026-49980

Source
https://ubuntu.com/security/CVE-2026-49980
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-49980.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-49980
Upstream
Published
2026-06-24T19:17:00Z
Modified
2026-07-02T18:03:15.650587661Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
  • Ubuntu - medium
Summary
[none]
Details

Rclone is a command-line program to sync files and directories to and from different cloud storage providers. From 1.46.0 until 1.74.3, rclone rcd --rc-serve accepts unauthenticated GET and HEAD requests to paths of the form: /[remote:path]/object. The remote value is parsed from the URL and passed to normal backend initialization. Inline remote configuration can set backend options that execute local commands during initialization. As a result, a single unauthenticated GET or HEAD request can execute a command as the rclone process user. This vulnerability is fixed in 1.74.3.

References

Affected packages

Ubuntu:18.04:LTS
rclone

Package

Name
rclone
Purl
pkg:deb/ubuntu/rclone?arch=source&distro=bionic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.36-3
1.36-3ubuntu0.1
1.36-3ubuntu0.2

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "golang-github-ncw-rclone-dev",
            "binary_version": "1.36-3ubuntu0.2"
        },
        {
            "binary_name": "rclone",
            "binary_version": "1.36-3ubuntu0.2"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-49980.json"
Ubuntu:25.10
rclone

Package

Name
rclone
Purl
pkg:deb/ubuntu/rclone?arch=source&distro=questing

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.60.1+dfsg-4
1.60.1+dfsg-4ubuntu1
1.60.1+dfsg-4ubuntu2
1.60.1+dfsg-4ubuntu2.1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "golang-github-rclone-rclone-dev",
            "binary_version": "1.60.1+dfsg-4ubuntu2.1"
        },
        {
            "binary_name": "rclone",
            "binary_version": "1.60.1+dfsg-4ubuntu2.1"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-49980.json"
Ubuntu:Pro:20.04:LTS
rclone

Package

Name
rclone
Purl
pkg:deb/ubuntu/rclone?arch=source&distro=esm-apps%2Ffocal

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.47.0+ex1-6
1.47.0+ex1-7
1.49.5-2
1.49.5-3
1.50.2-2
1.50.2-2ubuntu0.1
1.50.2-2ubuntu0.2
1.50.2-2ubuntu0.2+esm1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "golang-github-rclone-rclone-dev",
            "binary_version": "1.50.2-2ubuntu0.2+esm1"
        },
        {
            "binary_name": "rclone",
            "binary_version": "1.50.2-2ubuntu0.2+esm1"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-49980.json"
Ubuntu:Pro:22.04:LTS
rclone

Package

Name
rclone
Purl
pkg:deb/ubuntu/rclone?arch=source&distro=esm-apps%2Fjammy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.53.3-1
1.53.3-2
1.53.3-4
1.53.3-4ubuntu1
1.53.3-4ubuntu1.22.04.1
1.53.3-4ubuntu1.22.04.2
1.53.3-4ubuntu1.22.04.3
1.53.3-4ubuntu1.22.04.3+esm1
1.53.3-4ubuntu1.22.04.4
1.53.3-4ubuntu1.22.04.4+esm1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "golang-github-rclone-rclone-dev",
            "binary_version": "1.53.3-4ubuntu1.22.04.4+esm1"
        },
        {
            "binary_name": "rclone",
            "binary_version": "1.53.3-4ubuntu1.22.04.4+esm1"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-49980.json"
Ubuntu:Pro:24.04:LTS
rclone

Package

Name
rclone
Purl
pkg:deb/ubuntu/rclone?arch=source&distro=esm-apps%2Fnoble

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.60.1+dfsg-2build1
1.60.1+dfsg-3
1.60.1+dfsg-3ubuntu0.24.04.1
1.60.1+dfsg-3ubuntu0.24.04.2
1.60.1+dfsg-3ubuntu0.24.04.3
1.60.1+dfsg-3ubuntu0.24.04.4
1.60.1+dfsg-3ubuntu0.24.04.4+esm1
1.60.1+dfsg-3ubuntu0.24.04.5
1.60.1+dfsg-3ubuntu0.24.04.5+esm1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "golang-github-rclone-rclone-dev",
            "binary_version": "1.60.1+dfsg-3ubuntu0.24.04.5+esm1"
        },
        {
            "binary_name": "rclone",
            "binary_version": "1.60.1+dfsg-3ubuntu0.24.04.5+esm1"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-49980.json"
Ubuntu:Pro:26.04:LTS
rclone

Package

Name
rclone
Purl
pkg:deb/ubuntu/rclone?arch=source&distro=esm-apps%2Fresolute

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.60.1+dfsg-4ubuntu2
1.60.1+dfsg-4ubuntu3
1.60.1+dfsg-4ubuntu3.1
1.60.1+dfsg-4ubuntu3.1+esm1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "golang-github-rclone-rclone-dev",
            "binary_version": "1.60.1+dfsg-4ubuntu3.1+esm1"
        },
        {
            "binary_name": "rclone",
            "binary_version": "1.60.1+dfsg-4ubuntu3.1+esm1"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-49980.json"