Skip to main content

Tautulli CVE-2026-43986

| EUVD-2026-34286 CRITICAL
Server-Side Request Forgery (SSRF) (CWE-918)
2026-06-04 GitHub_M
Python SSRF
9.9
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

3
Patch available
Jun 04, 2026 - 17:16 EUVD
Source Code Evidence Fetched
Jun 04, 2026 - 16:15 vuln.today
Analysis Generated
Jun 04, 2026 - 16:15 vuln.today

DescriptionNVD

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Versions prior to 2.17.1 expose a public /image/<hash> route that resolves attacker-controlled entries from image_hash_lookup and replays them through the same server-side image fetch logic used by authenticated image proxying. A low-privilege guest user can seed a malicious external image URL into this lookup table and then trigger server-side fetches through a fully unauthenticated endpoint. This turns an authenticated SSRF primitive into a persistent unauthenticated SSRF gadget. Once the malicious hash entry exists, any external user can request /image/<hash>.png and cause the PMS or Tautulli host to fetch an arbitrary attacker-chosen URL. Version 2.17.1 patches the issue.

AnalysisAI

Unauthenticated server-side request forgery in Tautulli versions prior to 2.17.1 allows remote attackers to coerce the Tautulli or Plex Media Server host into fetching arbitrary attacker-chosen URLs via the public /image/<hash> route. A low-privilege guest first seeds a malicious external URL into the image_hash_lookup table, after which any unauthenticated external user can trigger the SSRF by requesting the resulting hash. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege guest account
Delivery
Seed malicious URL into image_hash_lookup
Exploit
Log out and reach public /image/<hash> route
Execution
Trigger unauthenticated server-side fetch
Impact
Read internal service or cloud metadata response
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) initial access to a low-privilege guest account on the target Tautulli instance to seed an entry into the `image_hash_lookup` table via the existing authenticated image-proxy code path, and (2) network reachability to the public `/image/<hash>` endpoint for the unauthenticated trigger step - which is the default deployment posture for Tautulli when exposed for remote access. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS:3.1 vector AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L produces a 9.9 score driven primarily by the Changed scope (the Tautulli host can be coerced into reaching the Plex Media Server or internal infrastructure). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or compromises a low-privilege Tautulli guest account and uses the authenticated image-proxy flow to seed a hash entry pointing at an internal target such as http://169.254.169.254/latest/meta-data/ or an internal Plex admin URL. The attacker then logs out and, from any unauthenticated network position, repeatedly requests `/image/<hash>.png`, causing the Tautulli/Plex host to issue server-side requests to the attacker-chosen URL and return or cache responses. …
Remediation Vendor-released patch: upgrade to Tautulli 2.17.1 or later, which stops storing image hashes for external images and closes the SSRF gadget (release notes at https://github.com/Tautulli/Tautulli/releases/tag/v2.17.1, advisory at https://github.com/Tautulli/Tautulli/security/advisories/GHSA-m6j6-rc2c-8vpm). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Audit which Tautulli instances are externally accessible and restrict network access to trusted IP ranges only. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-5241 CRITICAL
9.6 Jun 03

Remote code execution in Hugging Face Transformers 5.2.0 allows a malicious model repository to bypass the user's explic
CVE-2026-47731 CRITICAL
9.1 Jun 05

Path traversal in NASA AMMOS AIT-Core's Binary Stream Capture (BSC) component allows unauthenticated remote attackers to
CVE-2026-41065 HIGH
8.9 Jun 04

Remote code execution in Tautulli versions prior to 2.17.1 allows attackers to achieve unauthenticated RCE on fresh inst
CVE-2026-43984 HIGH
8.9 Jun 04

Stored cross-site scripting in Tautulli before 2.17.1 allows low-privilege authenticated users (including guests when gu
CVE-2026-11393 HIGH
8.8 Jun 08

Remote code execution in AWS AgentCore CLI before v0.14.2 allows authenticated attackers to inject Python code via craft

Share

CVE-2026-43986 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy