Description
Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Versions prior to 2.17.1 expose a public `/image/<hash>` route that resolves attacker-controlled entries from `image_hash_lookup` and replays them through the same server-side image fetch logic used by authenticated image proxying. A low-privilege guest user can seed a malicious external image URL into this lookup table and then trigger server-side fetches through a fully unauthenticated endpoint. This turns an authenticated SSRF primitive into a persistent unauthenticated SSRF gadget. Once the malicious hash entry exists, any external user can request `/image/<hash>.png` and cause the PMS or Tautulli host to fetch an arbitrary attacker-chosen URL. Version 2.17.1 patches the issue.
Published: 2026-06-04
Score: 9.9 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in Tautulli prior to version 2.17.1 in the publicly reachable /image/<hash> endpoint. An attacker can insert a malicious image URL into the image_hash_lookup table, causing the server to fetch that URL during image generation. Because this endpoint does not require authentication, any external user can trigger retransmission of the stored hash, leading to a persistent unauthenticated Server Side Request Forgery that can reach arbitrary internal or external addresses. This allows attackers to exfiltrate data, discover network services, or potentially execute further attacks.

Affected Systems

All installations of Tautulli using versions older than 2.17.1 are affected. The issue is present in the Tautulli monitoring tool for Plex Media Server, which runs on Python. Users should verify their installed version and upgrade if necessary.

Risk and Exploitability

The CVSS score is 9.9, indicating a critical level of risk. The EPSS score is not available, but the absence of a KEV listing does not diminish the severity; the vulnerability can be exploited by anyone who can access a Tautulli instance, making it highly likely to be abused on exposed servers. The attack path requires only an unauthenticated HTTP request to /image/<hash>, and the attacker must first seed the malicious hash via a low‑privilege guest account, which is relatively easy. Once seeded, any external user can trigger the SSRF whenever they request the image, creating a persistent gadget that can be used without further credentials.

Generated by OpenCVE AI on June 4, 2026 at 16:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Tautulli to version 2.17.1 or newer where the /image/<hash> route is protected.
  • If an upgrade is not possible, restrict access to the /image endpoint so it requires authentication or remove the route entirely from public access.
  • Implement network controls that limit outbound connections from the Tautulli host to approved destinations, preventing arbitrary fetches to internal or external addresses.
  • Monitor Tautulli logs for unexpected HTTP requests originating from the application to detect potential abuse.

Generated by OpenCVE AI on June 4, 2026 at 16:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Tautulli
Tautulli tautulli
Vendors & Products Tautulli
Tautulli tautulli

Thu, 04 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Versions prior to 2.17.1 expose a public `/image/<hash>` route that resolves attacker-controlled entries from `image_hash_lookup` and replays them through the same server-side image fetch logic used by authenticated image proxying. A low-privilege guest user can seed a malicious external image URL into this lookup table and then trigger server-side fetches through a fully unauthenticated endpoint. This turns an authenticated SSRF primitive into a persistent unauthenticated SSRF gadget. Once the malicious hash entry exists, any external user can request `/image/<hash>.png` and cause the PMS or Tautulli host to fetch an arbitrary attacker-chosen URL. Version 2.17.1 patches the issue.
Title Tautulli vulnerable to unauthenticated SSRF in /image/<hash> via attacker-seeded image hash replay
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L'}

Subscriptions

Tautulli Tautulli
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-04T17:29:15.849Z

Reserved: 2026-05-04T20:24:31.916Z

Link: CVE-2026-43986

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-06-04T16:16:38.290

Modified: 2026-06-04T16:20:27.330

Link: CVE-2026-43986

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T16:30:06Z

Weaknesses