Rclone 1.73.4 has been released. Find it in the rclone downloads or use rclone selfupdate to upgrade.
This is a patch release to fix multiple upstream CVEs and a few other small things.
v1.73.4 - 2026-04-08
- Bug Fixes
- build
- Update to go 1.25.9 to fix multiple CVEs (Nick Craig-Wood)
- CVE-2026-32282: os: Root.Chmod can follow symlinks out of the root on Linux
- CVE-2026-32289: html/template: JS template literal context incorrectly tracked
- CVE-2026-33810: crypto/x509: excluded DNS constraints not properly applied to wildcard domains
- CVE-2026-27144: cmd/compile: no-op interface conversion bypasses overlap checking
- CVE-2026-27143: cmd/compile: possible memory corruption after bound check elimination
- CVE-2026-32288: archive/tar: unbounded allocation when parsing old format GNU sparse map
- CVE-2026-32283: crypto/tls: multiple key update handshake messages can cause connection to deadlock
- CVE-2026-27140: cmd/go: trust layer bypass when using cgo and SWIG
- CVE-2026-32280: crypto/x509: unexpected work during chain building
- CVE-2026-32281: crypto/x509: inefficient policy validation
- Fix Denial of Service due to Panic in AWS SDK for Go v2 SDK EventStream Decoder (dependabot[bot])
- Update
golang.org/x/imageto 0.38.0 to fix CVE-2026-33809 (dependabot[bot])
- Update to go 1.25.9 to fix multiple CVEs (Nick Craig-Wood)
- docs
- Fix header level for metadata option (Clément Notin)
- Fix markdown issues in mount docs (albertony)
- Fix link to not be language specific (Ross Smith II)
- Note macOS 10.15 (Catalina) support with version v1.70.3 (kapitainsky)
- build
- Filen
- Update SDK version (Enduriel)