Description
Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Versions prior to 2.17.1 expose `configUpdate` as a state-changing administrator endpoint, but the route does not enforce `POST` and does not use any anti-CSRF token. In the default form and JWT-based authentication mode, the administrator session cookie is issued with `SameSite=Lax`, which still permits top-level cross-site navigation requests. An attacker can exploit this by luring a logged-in administrator to a malicious page that submits a cross-site request to `/configUpdate` and overwrites the local administrator username and password. The attacker can then sign in directly with the chosen credentials and take over the Tautulli administrative interface. Version 2.17.1 patches the issue.
Published: 2026-06-04
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a CSRF flaw that allows an attacker to change the administrator username and password on a Tautulli instance. By luring a logged‑in administrator to a malicious page, an attacker can submit a cross‑site request to the \/configUpdate endpoint, which does not enforce POST or an anti‑CSRF token. The session cookie is sent with SameSite=Lax, so the request is accepted. The attacker then can authenticate with the new credentials and take full control of the Tautulli administrative interface. The weakness is a classic CSRF issue (CWE-352) and leads to direct privilege escalation without requiring code execution on the server.

Affected Systems

The flaw exists in Tautulli versions before 2.17.1. The affected product is the Tautulli monitoring and tracking tool for Plex Media Server. Any installation that uses a default configuration and has administrator access is vulnerable, unless the underlying version is upgraded to 2.17.1 or newer.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity flaw. The EPSS score is not available, so the exact exploitation probability is unknown, but the lack of anti‑CSRF and method restriction makes the attack trivial for any user who can persuade an administrator to visit a malicious site. The vulnerability is not listed in the CISA KEV catalog, yet its impact is significant because it compromises the sole administrative account. If a user is unaware of the update, re‑authentication can be performed with the user‑controlled credentials immediately after the attack.

Generated by OpenCVE AI on June 4, 2026 at 16:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Tautulli to version 2.17.1 or newer.
  • If an immediate patch is not possible, disable or remove the \/configUpdate route from the web interface.
  • Alternatively, configure a web application firewall or equivalent to reject cross‑site POST requests to \/configUpdate that lack a proper CSRF token or restrict the method to POST only.

Generated by OpenCVE AI on June 4, 2026 at 16:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Tautulli
Tautulli tautulli
Vendors & Products Tautulli
Tautulli tautulli

Thu, 04 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Versions prior to 2.17.1 expose `configUpdate` as a state-changing administrator endpoint, but the route does not enforce `POST` and does not use any anti-CSRF token. In the default form and JWT-based authentication mode, the administrator session cookie is issued with `SameSite=Lax`, which still permits top-level cross-site navigation requests. An attacker can exploit this by luring a logged-in administrator to a malicious page that submits a cross-site request to `/configUpdate` and overwrites the local administrator username and password. The attacker can then sign in directly with the chosen credentials and take over the Tautulli administrative interface. Version 2.17.1 patches the issue.
Title Taultulli has CSRF in /configUpdate via missing anti-CSRF and method restriction that allows admin credential takeover
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Tautulli Tautulli
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-04T17:51:48.193Z

Reserved: 2026-05-04T20:24:31.916Z

Link: CVE-2026-43985

cve-icon Vulnrichment

Updated: 2026-06-04T17:50:21.765Z

cve-icon NVD

Status : Deferred

Published: 2026-06-04T16:16:38.083

Modified: 2026-06-04T19:16:29.670

Link: CVE-2026-43985

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T17:15:06Z

Weaknesses