Rclone 1.74.4 has been released. Find it in the rclone downloads or use rclone selfupdate to upgrade.
This is a security release to fix CVEs in rclone and rclone dependencies and a selection of other bugs.
v1.74.4 - 2026-07-08
- Bug Fixes
- accounting
- Fix goroutine leak in ResetCounters (Nick Craig-Wood)
- Fix goroutine leak in NewStatsGroup for zero-transfer rc jobs (Sanjays2402)
- archive extract: Fix path traversal letting archives escape the destination CVE-2026-59732 (Nick Craig-Wood)
- build
- Fix multiple CVEs by upgrading to go1.26.5 (Nick Craig-Wood)
- CVE-2026-39822: os: Root escape via symlink plus trailing slash
- CVE-2026-42505: crypto/tls: Encrypted Client Hello privacy leak
- Update
golang.org/x/imageto v0.43.0 to fix image decoding vulnerabilities (Nick Craig-Wood)- CVE-2026-46604: panic decoding a TIFF image with an out-of-bounds strip offset
- CVE-2026-46602: unbounded memory use from lack of a limit on TIFF tile sizes
- CVE-2026-46601: panic on a WEBP VP8 alpha channel size mismatch
- CVE-2026-33813: panic decoding a large WEBP image on 32-bit platforms
- Fix multiple CVEs by upgrading to go1.26.5 (Nick Craig-Wood)
- cmd/mount2
- Fix NFS file creation by implementing Mknod (Sandy Luppino)
- Fix ESTALE over NFS by reporting stable inode numbers (Sandy Luppino)
- Fix NFS directory listings by supporting non-zero Seekdir offsets (Sandy Luppino)
- completion: Fix powershell completion corrupting non-ASCII names (Yash Anil)
- doc fixes (Bryan Stenson, Castronaut, Filippo, Gaurav, happysnaker, Jan-Philipp Reßler, Nick Craig-Wood, user77)
- filter: Fix
--files-fromcopy stopping at the first unreadable file (Nick Craig-Wood) - fs
- Fix command line flag being ignored when set to its default value (Nick Craig-Wood)
- Fix negative offset when a suffix Range request exceeds object size (Amit Mishra)
- gui: Update embedded release to 1.1.10 (Nick Craig-Wood)
- ncdu: Fix duplicated keystrokes on Windows by pinning tcell to v2.9.0 (Nick Craig-Wood)
- serve restic: Fix
--private-reposisolation bypass CVE-2026-59733 (Nick Craig-Wood) - serve s3
- Fix spurious 404 on HEAD/GET during VFS writeback (max)
- Fix path traversal letting clients see files in the root GHSA-8v25-v8p6-qf7v (Nick Craig-Wood)
- serve webdav: Fix MOVE overwrite failing without Overwrite header (Sanjay Santhanam)
- serve/http: Fix
--disable-zipso it works over rc (Nick Craig-Wood)
- accounting
- VFS
- Fix hang reopening a file during the handle-caching grace period (Nick Craig-Wood)
- Local
- Stop
--linkssymlinks escaping the destination directory CVE-2026-54572 (Nick Craig-Wood) - Don't restore setuid/setgid/sticky bits from metadata by default GHSA-945v-v9p3-v5xw (Nick Craig-Wood)
- Stop
- Drive
- Warn when non-exportable Google documents are skipped (Nick Craig-Wood)
- Fix stray %!(EXTRA) in unexportable google document log message (Nick Craig-Wood)
- Warn when using rclone's shared client_id (Nick Craig-Wood)
- Filelu
- Fix recursive listing path handling and file filtering (kingston125)
- Googlephotos
- Warn when using rclone's shared client_id (Nick Craig-Wood)
- Mega
- Wait for server events after upload, delete and move (Nick Craig-Wood)
- Fix hard deleted files reappearing in listings (Nick Craig-Wood)
- S3
- Remove session token on cross-host redirects (IceLocke)
- Strip STS security token on same-host HTTPS->HTTP redirect GHSA-cf44-9pgv-m4xc (Nick Craig-Wood)
- Fix error mapping in GetObject to match HeadObject (lewoberst)
- Correct documented
copy_cutoffminimum to 1 byte (max) - Fix mounting a prefix failing with 403 when HEAD is not permitted (Nick Craig-Wood)
- Smb
- Fix for IBM iSeries and signature verification (dithwick)
- WebDAV
- Fix mixed property statuses in multi-status responses (nako-ruru)