UBUNTU-CVE-2026-59733

Source
https://ubuntu.com/security/CVE-2026-59733
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-59733.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-59733
Upstream
Published
2026-07-14T22:17:00Z
Modified
2026-07-15T19:45:39.524713204Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
  • Ubuntu - medium
Summary
[none]
Details

Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Prior to 1.74.4, rclone serve restic --private-repos enforces authorization using the routed user path segment while building the backend object key from the raw uncleaned URL path, allowing an authenticated user to include .. in a request such as //..//config and read, overwrite, or delete another user's private repository on backends that clean path components. This issue is fixed in version 1.74.4.

References

Affected packages

Ubuntu:18.04:LTS / rclone

Package

Name
rclone
Purl
pkg:deb/ubuntu/rclone?arch=source&distro=bionic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.36-3
1.36-3ubuntu0.1
1.36-3ubuntu0.2

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "1.36-3ubuntu0.2",
            "binary_name": "golang-github-ncw-rclone-dev"
        },
        {
            "binary_version": "1.36-3ubuntu0.2",
            "binary_name": "rclone"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-59733.json"

Ubuntu:Pro:20.04:LTS / rclone

Package

Name
rclone
Purl
pkg:deb/ubuntu/rclone?arch=source&distro=esm-apps%2Ffocal

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.47.0+ex1-6
1.47.0+ex1-7
1.49.5-2
1.49.5-3
1.50.2-2
1.50.2-2ubuntu0.1
1.50.2-2ubuntu0.2
1.50.2-2ubuntu0.2+esm1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "1.50.2-2ubuntu0.2+esm1",
            "binary_name": "golang-github-rclone-rclone-dev"
        },
        {
            "binary_version": "1.50.2-2ubuntu0.2+esm1",
            "binary_name": "rclone"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-59733.json"

Ubuntu:Pro:22.04:LTS / rclone

Package

Name
rclone
Purl
pkg:deb/ubuntu/rclone?arch=source&distro=esm-apps%2Fjammy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.53.3-1
1.53.3-2
1.53.3-4
1.53.3-4ubuntu1
1.53.3-4ubuntu1.22.04.1
1.53.3-4ubuntu1.22.04.2
1.53.3-4ubuntu1.22.04.3
1.53.3-4ubuntu1.22.04.3+esm1
1.53.3-4ubuntu1.22.04.4
1.53.3-4ubuntu1.22.04.4+esm1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "1.53.3-4ubuntu1.22.04.4+esm1",
            "binary_name": "golang-github-rclone-rclone-dev"
        },
        {
            "binary_version": "1.53.3-4ubuntu1.22.04.4+esm1",
            "binary_name": "rclone"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-59733.json"

Ubuntu:Pro:24.04:LTS / rclone

Package

Name
rclone
Purl
pkg:deb/ubuntu/rclone?arch=source&distro=esm-apps%2Fnoble

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.60.1+dfsg-2build1
1.60.1+dfsg-3
1.60.1+dfsg-3ubuntu0.24.04.1
1.60.1+dfsg-3ubuntu0.24.04.2
1.60.1+dfsg-3ubuntu0.24.04.3
1.60.1+dfsg-3ubuntu0.24.04.4
1.60.1+dfsg-3ubuntu0.24.04.4+esm1
1.60.1+dfsg-3ubuntu0.24.04.5
1.60.1+dfsg-3ubuntu0.24.04.5+esm1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "1.60.1+dfsg-3ubuntu0.24.04.5+esm1",
            "binary_name": "golang-github-rclone-rclone-dev"
        },
        {
            "binary_version": "1.60.1+dfsg-3ubuntu0.24.04.5+esm1",
            "binary_name": "rclone"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-59733.json"

Ubuntu:Pro:26.04:LTS / rclone

Package

Name
rclone
Purl
pkg:deb/ubuntu/rclone?arch=source&distro=esm-apps%2Fresolute

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.60.1+dfsg-4ubuntu2
1.60.1+dfsg-4ubuntu3
1.60.1+dfsg-4ubuntu3.1
1.60.1+dfsg-4ubuntu3.1+esm1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "1.60.1+dfsg-4ubuntu3.1+esm1",
            "binary_name": "golang-github-rclone-rclone-dev"
        },
        {
            "binary_version": "1.60.1+dfsg-4ubuntu3.1+esm1",
            "binary_name": "rclone"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-59733.json"