You are using an out of date browser. It may not display this or other websites correctly. You should upgrade or use an alternative browser.
rsync security
About this tag
The rsync security tag covers vulnerabilities and hardening guidance for the rsync file-synchronization tool, a staple in enterprise IT and backup workflows. Recent discussions focus on three CVEs: CVE-2026-45232, a low-severity proxy bug fixed in rsync 3.4.3 that affects clients using the RSYNC_PROXY environment variable; CVE-2026-43617, a medium-severity authorization bypass in rsync daemon hostname-based access controls when chroot is enabled; and CVE-2025-10158, an out-of-bounds read vulnerability in the rsync receiver. These threads emphasize that rsync vulnerabilities often have narrow exploitation paths but can disrupt automation pipelines or bypass trust assumptions in name-based security policies. Administrators are advised to patch promptly and review rsync daemon configurations.
CVE-2026-45232 is a low-severity rsync vulnerability disclosed in May 2026 and fixed in rsync 3.4.3, affecting clients that use the RSYNC_PROXY environment variable and receive a deliberately malformed HTTP proxy response from a hostile proxy or network-positioned attacker. That is a narrow lane...
On May 20, 2026, CVE-2026-43617 was published for rsync 3.4.2 and earlier, describing a medium-severity authorization bypass in rsync daemon hostname-based access controls when the service is configured with chroot. The bug is not the kind of remote-code-execution siren that sends every SOC...
A newly disclosed vulnerability in the widely used file-synchronization utility rsync — tracked as CVE-2025-10158 — allows a malicious rsync receiver to induce an out-of-bounds read of a heap buffer by exploiting a negative array index; the issue was fixed upstream in a small commit but remains...