Summary
Rclone: Unauthenticated command execution in `rclone rcd --rc-serve` via inline remote instantiation, bypassing CVE-2026-41179 fix
References
Related vulnerabilities
All Supply chain →- HIGHGHSA-FQ4X-789W-JG5H
AgenticMail: Unauthenticated inbound mail triggers bypassPermissions resume of the operator's Claude Code session (bridge-wake)
- HIGHGHSA-JXCW-QP4H-6JFQ
PraisonAI A2U incomplete authentication fix leaves current serve command unauthenticated by default
- CRITICALGHSA-J4F3-55X4-R6Q2
npm PraisonAI MCPServer exposes unauthenticated HTTP tools/call
- CRITICALGHSA-9752-MHQH-H34F
npm PraisonAI AgentOS exposes unauthenticated agent listing and invocation
- CRITICALGHSA-P75F-6FP4-P57W
PraisonAI: Missing Authentication for Critical Function and Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in praisonai
- CRITICALGHSA-892R-P3JQ-JP24
PraisonAI: AgentOS remains unauthenticated after incomplete fix version and allows remote agent invocation