Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Prior to 1.74.4, with -l/--links, rclone serializes symlinks as .rclonelink text objects and recreates them on a local destination without validating the target, allowing an attacker-controlled remote to plant an escaping symlink and cause a following object write to land outside the destination with attacker-chosen contents. This issue is fixed in version 1.74.4.
Metrics
Affected Vendors & Products
References
History
Tue, 14 Jul 2026 22:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Prior to 1.74.4, with -l/--links, rclone serializes symlinks as .rclonelink text objects and recreates them on a local destination without validating the target, allowing an attacker-controlled remote to plant an escaping symlink and cause a following object write to land outside the destination with attacker-chosen contents. This issue is fixed in version 1.74.4. | |
| Title | rclone: Unvalidated symlink target in local `--links` — arbitrary file write from an untrusted remote | |
| Weaknesses | CWE-59 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-14T21:37:41.882Z
Reserved: 2026-06-15T19:15:27.343Z
Link: CVE-2026-54572
No data.
No data.
No data.
OpenCVE Enrichment
No data.