UBUNTU-CVE-2026-59732

Source
https://ubuntu.com/security/CVE-2026-59732
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-59732.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-59732
Upstream
Published
2026-07-14T22:17:00Z
Modified
2026-07-15T19:46:34.904091256Z
Severity
  • 5.0 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:L CVSS Calculator
  • Ubuntu - medium
Summary
[none]
Details

Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Prior to 1.74.4, rclone archive extract can write extracted files outside the user-selected destination prefix when extracting a crafted archive containing parent path components such as ../, allowing creation or overwrite of sibling objects in the same bucket or path scope. This issue is fixed in version 1.74.4.

References

Affected packages

Ubuntu:18.04:LTS / rclone

Package

Name
rclone
Purl
pkg:deb/ubuntu/rclone?arch=source&distro=bionic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.36-3
1.36-3ubuntu0.1
1.36-3ubuntu0.2

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "1.36-3ubuntu0.2",
            "binary_name": "golang-github-ncw-rclone-dev"
        },
        {
            "binary_version": "1.36-3ubuntu0.2",
            "binary_name": "rclone"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-59732.json"

Ubuntu:Pro:20.04:LTS / rclone

Package

Name
rclone
Purl
pkg:deb/ubuntu/rclone?arch=source&distro=esm-apps%2Ffocal

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.47.0+ex1-6
1.47.0+ex1-7
1.49.5-2
1.49.5-3
1.50.2-2
1.50.2-2ubuntu0.1
1.50.2-2ubuntu0.2
1.50.2-2ubuntu0.2+esm1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "1.50.2-2ubuntu0.2+esm1",
            "binary_name": "golang-github-rclone-rclone-dev"
        },
        {
            "binary_version": "1.50.2-2ubuntu0.2+esm1",
            "binary_name": "rclone"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-59732.json"

Ubuntu:Pro:22.04:LTS / rclone

Package

Name
rclone
Purl
pkg:deb/ubuntu/rclone?arch=source&distro=esm-apps%2Fjammy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.53.3-1
1.53.3-2
1.53.3-4
1.53.3-4ubuntu1
1.53.3-4ubuntu1.22.04.1
1.53.3-4ubuntu1.22.04.2
1.53.3-4ubuntu1.22.04.3
1.53.3-4ubuntu1.22.04.3+esm1
1.53.3-4ubuntu1.22.04.4
1.53.3-4ubuntu1.22.04.4+esm1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "1.53.3-4ubuntu1.22.04.4+esm1",
            "binary_name": "golang-github-rclone-rclone-dev"
        },
        {
            "binary_version": "1.53.3-4ubuntu1.22.04.4+esm1",
            "binary_name": "rclone"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-59732.json"

Ubuntu:Pro:24.04:LTS / rclone

Package

Name
rclone
Purl
pkg:deb/ubuntu/rclone?arch=source&distro=esm-apps%2Fnoble

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.60.1+dfsg-2build1
1.60.1+dfsg-3
1.60.1+dfsg-3ubuntu0.24.04.1
1.60.1+dfsg-3ubuntu0.24.04.2
1.60.1+dfsg-3ubuntu0.24.04.3
1.60.1+dfsg-3ubuntu0.24.04.4
1.60.1+dfsg-3ubuntu0.24.04.4+esm1
1.60.1+dfsg-3ubuntu0.24.04.5
1.60.1+dfsg-3ubuntu0.24.04.5+esm1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "1.60.1+dfsg-3ubuntu0.24.04.5+esm1",
            "binary_name": "golang-github-rclone-rclone-dev"
        },
        {
            "binary_version": "1.60.1+dfsg-3ubuntu0.24.04.5+esm1",
            "binary_name": "rclone"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-59732.json"

Ubuntu:Pro:26.04:LTS / rclone

Package

Name
rclone
Purl
pkg:deb/ubuntu/rclone?arch=source&distro=esm-apps%2Fresolute

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.60.1+dfsg-4ubuntu2
1.60.1+dfsg-4ubuntu3
1.60.1+dfsg-4ubuntu3.1
1.60.1+dfsg-4ubuntu3.1+esm1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "1.60.1+dfsg-4ubuntu3.1+esm1",
            "binary_name": "golang-github-rclone-rclone-dev"
        },
        {
            "binary_version": "1.60.1+dfsg-4ubuntu3.1+esm1",
            "binary_name": "rclone"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-59732.json"