{"id":"CVE-2026-59732","summary":"rclone archive extract allows S3 destination prefix escape via crafted archive paths","details":"Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Prior to 1.74.4, rclone archive extract can write extracted files outside the user-selected destination prefix when extracting a crafted archive containing parent path components such as ../, allowing creation or overwrite of sibling objects in the same bucket or path scope. This issue is fixed in version 1.74.4.","aliases":["GHSA-4vr5-p2gc-h23p"],"modified":"2026-07-18T03:47:43.010374682Z","published":"2026-07-14T21:36:21.030Z","related":["openSUSE-SU-2026:11241-1"],"database_specific":{"cwe_ids":["CWE-22"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/59xxx/CVE-2026-59732.json","cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://github.com/rclone/rclone/releases/tag/v1.74.4"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/59xxx/CVE-2026-59732.json"},{"type":"ADVISORY","url":"https://github.com/rclone/rclone/security/advisories/GHSA-4vr5-p2gc-h23p"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-59732"},{"type":"FIX","url":"https://github.com/rclone/rclone/commit/1a746732441e8158f32fab35924b23701e719a8c"},{"type":"FIX","url":"https://github.com/rclone/rclone/commit/d11efe0d58fe6a2d6d90675bb9d8ee5840c51e1d"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/rclone/rclone","events":[{"introduced":"0"},{"fixed":"5bc93a2a7ab0ebd0a11352bc4968eabeffb18027"},{"fixed":"1a746732441e8158f32fab35924b23701e719a8c"},{"fixed":"d11efe0d58fe6a2d6d90675bb9d8ee5840c51e1d"}],"database_specific":{"source":["CPE_RANGE","REFERENCES"],"cpe":"cpe:2.3:a:rclone:rclone:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"0"},{"fixed":"1.74.4"}]}}],"versions":["v1.74.3","v1.74.2","v1.74.1","v1.74.0","v1.73.0","v1.72.0","v1.71.0","v1.70.0","v1.69.0","v1.68.0","v1.67.0","v1.66.0","v1.65.0","v1.64.0","v1.63.0","v1.62.0","v1.61.0","v1.60.0","v1.59.0","v1.58.0","v1.57.0","v1.56.0","v1.55.0","v1.54.0","v1.53.0","v1.52.0","v1.51.0","v1.50.0","v1.49.0","v1.48.0","v1.47.0","v1.46.0","v1.46","v1.45","v1.44","v1.43","v1.42","v1.41","v1.40","v1.39","v1.38","v1.37","v1.36","v1.35","v1.34","v1.33","v1.32","v1.31","v1.30","v1.29-1-gbb75d80","v1.29","v1.28","v1.27","v1.26","v1.25","v1.24","v1.23","v1.22","v1.21","v1.20","v1.19","v1.18","v1.17","v1.16","v1.15","v1.14","v1.13","v1.12","v1.11","v1.10","v1.09","v1.08","v1.07","v1.06","v1.05","v1.04","v1.03","v1.01","v1.00","v0.99","v0.98","v0.97","v0.96","v0.95","v0.94","v0.93","v0.92","v0.91","v0.90"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-59732.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:L"}]}