Description
Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.0, the /pms_image_proxy endpoint accepts a user-supplied img parameter and forwards it to Plex Media Server's /photo/:/ transcode transcoder without authentication and without restricting the scheme or host. The endpoint is intentionally excluded from all authentication checks in webstart.py, any value of img beginning with http is passed directly to Plex, this causes the Plex Media Server process, which typically runs on the same host or internal network as Tautulli, with access to RFC-1918 address space, to issue an outbound HTTP request to any attacker-specified URL. This issue has been patched in version 2.17.0.
Published: 2026-03-30
Score: 4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SSRF allowing outbound requests to arbitrary URLs
Action: Patch Now
AI Analysis

Impact

The flaw is in the /pms_image_proxy endpoint of Tautulli, which is left unprotected by authentication. A user can supply any http:// or https:// URL in the img parameter; the backend forwards this to the Plex Media Server’s photo transcode service without checking the target address. This turns the Plex process into a proxy that can contact any address reachable from the host, such as internal servers, the Internet, or even RFC‑1918 destinations. The attacker can therefore exfiltrate data, discover services, or perform internal reconnaissance without needing credentials. The weakness is a server‑side request forgery (CWE‑918).

Affected Systems

Tautulli, the monitoring component for Plex Media Server, is affected. Any installation running a version earlier than 2.17.0 is vulnerable. The bug was fixed in release 2.17.0, so upgrades to that or later versions remove the issue.

Risk and Exploitability

The CVSS base score of 4.0 indicates moderate risk. The EPSS score is below 1%, suggesting that exploitation is currently unlikely, and the weakness is not listed in the CISA KEV catalog. However, the method requires only unauthenticated HTTP access to the Tautulli web interface, making the attack surface wide. A threat actor could exploit the flaw by sending a crafted request to the unprotected endpoint and directing the Plex Media Server to reach internal or external URLs. The lack of authentication and hostname restriction makes exploitation straightforward if the web service is publicly reachable.

Generated by OpenCVE AI on April 14, 2026 at 02:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Tautulli to version 2.17.0 or later
  • Restrict or block access to the /pms_image_proxy endpoint via a firewall or reverse‑proxy rule
  • Deploy network segmentation to limit the Plex Media Server’s outbound reach
  • Monitor outbound traffic from the Plex Media Server for unexpected requests
  • Apply general best practices such as patching all software promptly

Generated by OpenCVE AI on April 14, 2026 at 02:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 01:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:tautulli:tautulli:*:*:*:*:*:*:*:*

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Tautulli
Tautulli tautulli
Vendors & Products Tautulli
Tautulli tautulli

Mon, 30 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
Description Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.0, the /pms_image_proxy endpoint accepts a user-supplied img parameter and forwards it to Plex Media Server's /photo/:/ transcode transcoder without authentication and without restricting the scheme or host. The endpoint is intentionally excluded from all authentication checks in webstart.py, any value of img beginning with http is passed directly to Plex, this causes the Plex Media Server process, which typically runs on the same host or internal network as Tautulli, with access to RFC-1918 address space, to issue an outbound HTTP request to any attacker-specified URL. This issue has been patched in version 2.17.0.
Title Tautulli: Unauthenticated pms_image_proxy endpoint proxies arbitrary HTTP requests through the Plex Media Server
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N'}

Subscriptions

Tautulli Tautulli
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-01T18:22:21.837Z

Reserved: 2026-03-09T16:33:42.913Z

Link: CVE-2026-31804

cve-icon Vulnrichment

Updated: 2026-04-01T18:21:42.311Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-30T20:16:21.517

Modified: 2026-04-14T01:43:40.347

Link: CVE-2026-31804

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:42:34Z

Weaknesses