Rclone Release v1.74.1

Releases
1

Rclone 1.74.1 has been released. Find it in the rclone downloads or use rclone selfupdate to upgrade.

This is a security release to fix several CVEs Go and a few other small things.

v1.74.1 - 2026-05-08

See commits

  • Bug Fixes
    • bisync: Fix retryable without --resync error message when --resync has a critical failure (Gustavo V. F.)
    • build
      • Fix multiple CVEs by upgrading to go1.26.3 (Nick Craig-Wood)
        • CVE-2026-42501: cmd/go: malicious module proxy can bypass checksum database
        • CVE-2026-39825: net/http/httputil: ReverseProxy forwards queries with more than urlmaxqueryparams parameters
        • CVE-2026-39836: net: panic in Dial and LookupPort when handling NUL byte on Windows
        • CVE-2026-42499: net/mail: quadratic string concatenation in consumePhrase
        • CVE-2026-39820: net/mail: quadratic string concatentation in consumeComment
        • CVE-2026-39819: cmd/go: "go bug" follows symlinks in predictable temporary filenames
        • CVE-2026-39817: cmd/go: "go tool pack" does not sanitize output paths
        • CVE-2026-33814: net/http: infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE
        • CVE-2026-39826: html/template: escaper bypass leads to XSS
        • CVE-2026-33811: net: crash when handling long CNAME response
        • CVE-2026-39823: html/template: bypass of meta content URL escaping causes XSS
      • Update golang.org/x/net to v0.53.0 to fix CVE-2026-33814 (Nick Craig-Wood)
    • cmd/serve/s3: Return object listings in key order (Leon Brocard)
  • Cloudinary
    • Fix retrying every error and fix pacer sleep units (Nick Craig-Wood)
  • Drime
    • Fix large file uploads landing in drive root instead of configured folder (Nick Craig-Wood)
    • Fix uploads of 100..200M files (Nick Craig-Wood)
  • Protondrive
    • Route HTTP through rclone's transport (Nick Craig-Wood)
    • Route library logging through rclone's logger (Nick Craig-Wood)
    • Fix segfault when copying files missing revision metadata (Nick Craig-Wood)
  • S3
    • Fix STS call per request by caching AssumeRole credentials (Nick Craig-Wood)
    • Add new Fastly Object Storage regions (Leon Brocard)
4 Likes