CVE-2026-59733

HIGH

rclone `serve restic --private-repos` authorization bypass: `..` in the URL path lets an authenticated user read, overwrite and delete other users' repositories

CVSS v3

8.8

HIGH

EPSS Score

exploit probability

CISA KEV

No

known exploited

Exploitation

SSVC status

Description

Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Prior to 1.74.4, rclone serve restic --private-repos enforces authorization using the routed user path segment while building the backend object key from the raw uncleaned URL path, allowing an authenticated user to include .. in a request such as //..//config and read, overwrite, or delete another user's private repository on backends that clean path components. This issue is fixed in v

Technical Details

CVSS v3 Vector
3.1
Published
7/14/2026
Last Modified
7/15/2026

Frequently Asked Questions

What is CVE-2026-59733?

Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Prior to 1.74.4, rclone serve restic --private-repos enforces authorization using the routed user path segment while building the backend object key from the raw uncleaned URL path, allowing an authenticated user to include .. in a request such as //..//config and read, overwrite, or delete another user's private repository on backends that clean path components. This issue is fixed in v

Is CVE-2026-59733 actively exploited?

Active exploitation of CVE-2026-59733 has not been confirmed. The EPSS score is N/A%, indicating the estimated probability of exploitation in the next 30 days.

What is the CVSS score for CVE-2026-59733?

CVE-2026-59733 has a CVSS v3 base score of 8.8 (HIGH severity), with vector string 3.1.

Is CVE-2026-59733 affecting your environment?

Use isMalicious to check if any of your IPs or domains are associated with this vulnerability's IOCs.