Tautulli Plex Monitoring Tool Vulnerabilities (CVE-2026-43984, CVE-2026-43985, CVE-2026-43986): Unauthenticated SSRF, CSRF Admin Takeover, and Stored XSS

nick

Tautulli Plex Monitoring Tool Vulnerabilities (CVE-2026-43984, CVE-2026-43985, CVE-2026-43986): Unauthenticated SSRF, CSRF Admin Takeover, and Stored XSS

by

Three vulnerabilities have been disclosed in Tautulli, the popular Python-based monitoring and tracking tool for Plex Media Server, tracked as CVE-2026-43984, CVE-2026-43985, and CVE-2026-43986. The most severe — CVE-2026-43986 — is a critical unauthenticated SSRF vulnerability (CVSS 9.9) that allows remote attackers to force the server to fetch arbitrary URLs. CVE-2026-43985 enables CSRF-based administrator account takeover, and CVE-2026-43984 is a stored XSS that executes in an administrator’s browser. All three are fixed in Tautulli version 2.17.1.

What Are the Vulnerabilities?

CVE-2026-43986 — Unauthenticated SSRF (CVSS 9.9 Critical, CWE-918): Tautulli exposes a public /image/<hash> route that resolves attacker-controlled entries from the image_hash_lookup table and replays them through the same server-side image fetch logic used by authenticated image proxying. The attack chain works as follows: a low-privilege guest user (when guest access is enabled) seeds a malicious external image URL into the lookup table, and then any unauthenticated user can request /image/<hash>.png to cause the Tautulli or Plex Media Server host to fetch an arbitrary attacker-chosen URL. This converts an authenticated SSRF primitive into a persistent unauthenticated SSRF gadget — once the malicious hash is planted, exploitation requires no authentication at all. The SSRF can be used to scan internal networks, access cloud instance metadata services, or attack internal services reachable from the Tautulli host.

CVE-2026-43985 — CSRF Administrator Account Takeover (CVSS 7.1 High, CWE-352): The configUpdate endpoint is a state-changing administrator endpoint but does not enforce HTTP POST method restrictions and uses no anti-CSRF token. In the default JWT-based authentication mode, the administrator session cookie is issued with SameSite=Lax, which still permits top-level cross-site navigation requests. An attacker can lure a logged-in Tautulli administrator to visit a malicious page that submits a cross-site request to /configUpdate, overwriting the local administrator username and password. The attacker can then sign in directly with the chosen credentials and take full control of the Tautulli administrative interface.

CVE-2026-43984 — Stored Cross-Site Scripting (CVSS 7.3 High, CWE-79): The log_js_errors endpoint is exposed to any authenticated user — including guest users when guest access is enabled. The endpoint writes attacker-controlled strings directly into the main application log file without sanitisation. The administrator-only logFile view then reads that log file and embeds its contents into an HTML response without any escaping. A low-privilege guest user can inject HTML or JavaScript into the log file, which executes in an administrator’s browser when the log viewer is opened — enabling session theft, credential capture, or further administrative actions performed in the context of the admin’s session.

  • CVE-2026-43986: CVSS 9.9 Critical | CWE-918 (SSRF)
  • CVE-2026-43985: CVSS 7.1 High | CWE-352 (CSRF)
  • CVE-2026-43984: CVSS 7.3 High | CWE-79 (XSS)

Which Versions Are Affected?

All three vulnerabilities affect Tautulli prior to version 2.17.1:

  • Tautulli: all versions prior to 2.17.1

Tautulli is widely deployed by Plex Media Server users — it runs on the same network as media servers and often has access to internal network resources, making the SSRF vulnerability (CVE-2026-43986) particularly dangerous in home and small-office environments where network segmentation is minimal.

Is It Being Exploited in the Wild?

No active exploitation has been publicly reported at the time of writing. However, all three vulnerabilities were published on June 4, 2026 with full technical details and clear exploit paths. The SSRF vulnerability (CVE-2026-43986) requires only that guest access is enabled and a malicious hash entry exists — once planted, exploitation is fully unauthenticated. Tautulli instances exposed to the internet or accessible from untrusted local networks are at elevated risk.

What Are the Fixes?

All three vulnerabilities are fixed in Tautulli version 2.17.1. The release is available at:

https://github.com/Tautulli/Tautulli/releases/tag/v2.17.1

Update Tautulli by downloading the latest release and following the upgrade instructions, or if installed via a package manager, update through the appropriate channel. After updating, verify the version in the Tautulli web interface (Settings > General).

Recommendations

Update Tautulli to 2.17.1 immediately. Three vulnerabilities — including a CVSS 9.9 unauthenticated SSRF — in a single point release demand immediate attention. The update addresses all three issues.

Disable guest access if not needed. Two of the three vulnerabilities (CVE-2026-43986 and CVE-2026-43984) rely on guest access as an entry point. If your Tautulli instance does not require guest access, disable it in Settings > Access Control — this eliminates the initial attack vector for these vulnerabilities even prior to patching.

Rotate Tautulli administrator credentials after updating. CVE-2026-43985 allows CSRF-based credential overwrite. If your Tautulli instance was running a vulnerable version, rotate the administrator password after applying the update. Review the Tautulli user list for unexpected administrative accounts.

Review Tautulli logs for injected content. CVE-2026-43984 allows injection of arbitrary content into application logs. After updating, review the Tautulli log file for unexpected HTML or JavaScript content — particularly entries containing script tags, event handlers, or external resource references. Clear or rotate the log file if injected content is found.

Do not expose Tautulli to the internet. Tautulli is a monitoring tool intended for local network use. If your instance is accessible from the internet, place it behind a VPN or restrict access to trusted local IP addresses. The SSRF vulnerability is particularly dangerous on internet-exposed instances, where attackers can use it to pivot into your internal network.

References

This advisory is covered in the broader Vulnerability Intelligence Report — June 4, 2026. For a comprehensive view of all active threats and newly disclosed vulnerabilities, refer to the full report.

Threat Modeling and Security by Design

Threat modeling and Security by Design methods, tools, and approaches to help secure your business and IT landscape.

Terms of Service | Privacy Policy

AI chatbot & help center by 99helpers.com

Threat Modeling
Threat Modeling Tool
Threat Modeling Tool Explainer
What is Threat Modeling?
STRIDE Threat Modeling
PASTA Threat Modeling
Automated Threat Modeling
Threat Modeling Framework
CISO Security Mind Map 2026
CIS Controls
OWASP Top 10

© Threat-Modeling.com

Connect with me

Enter your Email address if you want to connect and receive threat modeling updates (I won’t spam you or share your contact details).

AND / OR

Try my threat modeling tool, it's completely free to use.

Thanks for signing up!