Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Prior to 1.74.4, rclone serve restic --private-repos enforces authorization using the routed user path segment while building the backend object key from the raw uncleaned URL path, allowing an authenticated user to include .. in a request such as //..//config and read, overwrite, or delete another user's private repository on backends that clean path components. This issue is fixed in version 1.74.4.
History

Thu, 16 Jul 2026 00:30:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Important


Wed, 15 Jul 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Rclone
Rclone rclone
Vendors & Products Rclone
Rclone rclone

Wed, 15 Jul 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 14 Jul 2026 22:00:00 +0000

Type Values Removed Values Added
Description Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Prior to 1.74.4, rclone serve restic --private-repos enforces authorization using the routed user path segment while building the backend object key from the raw uncleaned URL path, allowing an authenticated user to include .. in a request such as //..//config and read, overwrite, or delete another user's private repository on backends that clean path components. This issue is fixed in version 1.74.4.
Title rclone `serve restic --private-repos` authorization bypass: `..` in the URL path lets an authenticated user read, overwrite and delete other users' repositories
Weaknesses CWE-22
CWE-639
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-07-16T03:55:26.454Z

Reserved: 2026-07-06T15:34:16.917Z

Link: CVE-2026-59733

cve-icon Vulnrichment

Updated: 2026-07-15T13:20:42.760Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-07-14T21:38:37Z

Links: CVE-2026-59733 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-07-16T01:30:04Z