Description
Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.1, a path traversal vulnerability in the cache deletion endpoint allows authenticated API access to delete directories outside the configured cache path. This can cause arbitrary data loss and service disruption. Version 2.17.1 fixes the issue.
Published: 2026-06-04
Score: 5.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A path traversal flaw in Tautulli’s cache deletion API allows an authenticated user to specify a file path that resolves outside the designated cache directory, enabling deletion of arbitrary files. The vulnerability can lead to loss of user data, media files, and can disrupt the service’s operation. The flaw maps to the weaknesses of uncontrolled path traversal (CWE‑22) and relative path usage (CWE‑73).

Affected Systems

Any installation of Tautulli that runs a version prior to 2.17.1 is susceptible. The issue affects all users who have enabled API access and trust authentication credentials, because the cache deletion endpoint can be invoked by anyone who can authenticate to the Tautulli instance.

Risk and Exploitability

The CVSS score of 5.7 indicates moderate severity. Exploitation requires valid API credentials, meaning the attacker must first authenticate locally or remotely to the Tautulli service. Because the flaw can delete arbitrary data, the potential impact is high for confidentiality and availability if the attacker targets critical media or configuration files. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no known widespread exploitation yet. Nonetheless, the presence of a path traversal flaw that bypasses directory restrictions warrants prompt attention.

Generated by OpenCVE AI on June 4, 2026 at 14:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Tautulli to version 2.17.1 or later
  • If an upgrade is not immediately possible, restrict or disable the cache deletion endpoint for unauthenticated users and limit API access to trusted administrators
  • Monitor API activity logs for attempts to delete files outside the cache directory

Generated by OpenCVE AI on June 4, 2026 at 14:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Tautulli
Tautulli tautulli
Vendors & Products Tautulli
Tautulli tautulli
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Description Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.1, a path traversal vulnerability in the cache deletion endpoint allows authenticated API access to delete directories outside the configured cache path. This can cause arbitrary data loss and service disruption. Version 2.17.1 fixes the issue.
Title Tautulli Vulnerable to Authenticated Path Traversal in Cache Deletion API
Weaknesses CWE-22
CWE-73
References
Metrics cvssV4_0

{'score': 5.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Tautulli Tautulli
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-04T15:06:37.640Z

Reserved: 2026-04-14T14:07:59.642Z

Link: CVE-2026-40605

cve-icon Vulnrichment

Updated: 2026-06-04T15:02:38.392Z

cve-icon NVD

Status : Deferred

Published: 2026-06-04T14:16:40.520

Modified: 2026-06-04T16:16:36.437

Link: CVE-2026-40605

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T15:00:15Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

  • CWE-73

    External Control of File Name or Path