Primary

Context

Rsync Authorization Bypass Vulnerability via Hostname Resolution

Vulnerability

Patched

An authorization bypass vulnerability has been identified in Rsync versions through 3.4.2. This vulnerability resides in the hostname-based access control list enforcement of the rsync daemon, particularly when it is configured with chroot. The issue allows attackers to circumvent hostname-based deny rules by manipulating the PTR record of their source IP address. When reverse DNS resolution fails, it defaults to 'UNKNOWN', enabling connections from hostnames that administrators intended to block.

Impact

Exploitation of this vulnerability allows for hostname-based access control bypass, enabling unauthorized connections to the rsync daemon from denied hostnames.

Remediation

Users can upgrade to Rsync version 3.4.3 or later, or use IP-based access control lists instead of hostname-based ones. If hostname-based ACLs must be used, ensure the chroot environment contains the necessary files for reverse DNS resolution.

Added: May 20, 2026, 2:59 AM

Updated: May 20, 2026, 2:59 AM

Vulnerability Rating

Custom Algorithm

spread

8.1

impact

0.6

exploitability

6.3

remediation

8.3

relevance

8.9

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

8.1

impact

0.6

exploitability

6.3

remediation

8.3

relevance

8.9

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Rsync Authorization Bypass Vulnerability via Hostname Resolution

Vulnerability

Impact

Remediation

Affected Products

Rsync

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating