๐Ÿ” CVE Alert

CVE-2026-59733

HIGH 8.8

rclone `serve restic --private-repos` authorization bypass: `..` in the URL path lets an authenticated user read, overwrite and delete other users' repositories

CVSS Score
8.8
EPSS Score
0.5%
EPSS Percentile
41th

Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Prior to 1.74.4, rclone serve restic --private-repos enforces authorization using the routed user path segment while building the backend object key from the raw uncleaned URL path, allowing an authenticated user to include .. in a request such as //..//config and read, overwrite, or delete another user's private repository on backends that clean path components. This issue is fixed in version 1.74.4.

CWE CWE-22 CWE-639
Vendor rclone
Product rclone
Published Jul 14, 2026
Last Updated Jul 16, 2026
Stay Ahead of the Next One

Get instant alerts for rclone rclone

Be the first to know when new high vulnerabilities affecting rclone rclone are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Affected Versions

rclone / rclone
< 1.74.4

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/rclone/rclone/security/advisories/GHSA-fqj9-69pf-6pjg github.com: https://github.com/rclone/rclone/commit/015fd0eba1cb138eef081517795fed47a2873f2d github.com: https://github.com/rclone/rclone/commit/dade21c1616035b044df0eef7ee6a85aeb06a139 github.com: https://github.com/rclone/rclone/releases/tag/v1.74.4