EUVD-2026-34256CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionNVD
Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.1, a path traversal vulnerability in the cache deletion endpoint allows authenticated API access to delete directories outside the configured cache path. This can cause arbitrary data loss and service disruption. Version 2.17.1 fixes the issue.
AnalysisAI
Path traversal in Tautulli's cache deletion API endpoint allows authenticated low-privilege users to delete arbitrary directories outside the configured cache root, resulting in arbitrary data loss and service disruption. All Tautulli versions prior to 2.17.1 are affected; the vendor-confirmed fix is v2.17.1 (released 2026-05-04). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid Tautulli API credential with at minimum low-privilege access (CVSS PR:L) - unauthenticated remote exploitation is not possible. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 base score of 5.7 (Medium) reflects network-accessible exploitation (AV:N), low attack complexity (AC:L), no additional attack requirements (AT:N), low privilege requirement (PR:L), no user interaction (UI:N), high integrity impact on the vulnerable system (VI:H), and low availability impact (VA:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who possesses or has stolen a low-privilege Tautulli API key sends a crafted HTTP DELETE request to the cache deletion endpoint, embedding path traversal sequences (e.g., '../../var/lib/tautulli_data' or '../../etc') in the path parameter. The server processes the unsanitized input and deletes the specified directory outside the cache root, destroying configuration files, application data, or other critical directories accessible to the Tautulli process. … |
| Remediation | Upgrade to Tautulli v2.17.1 or later, which directly fixes CVE-2026-40605 as confirmed in the official release changelog at https://github.com/Tautulli/Tautulli/releases/tag/v2.17.1 and the security advisory at https://github.com/Tautulli/Tautulli/security/advisories/GHSA-fg46-xx7h-mhwr. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Unauthenticated server-side request forgery in Tautulli versions prior to 2.17.1 allows remote attackers to coerce the T
Path traversal in NASA AMMOS AIT-Core's Binary Stream Capture (BSC) component allows unauthenticated remote attackers to
Authentication bypass in dhax/go-base Go REST API boilerplate (versions prior to commit cc82b974, merged May 17, 2026) a
Remote code execution in Tautulli versions prior to 2.17.1 allows attackers to achieve unauthenticated RCE on fresh inst
Stored cross-site scripting in Tautulli before 2.17.1 allows low-privilege authenticated users (including guests when gu
Share
External POC / Exploit Code
Leaving vuln.today