CVE-2026-41065 in Tautulli
Summary
by MITRE • 06/04/2026
Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Versions prior to 2.17.1 are vulnerable to remote code execution via the newsletter custom template directory feature. On a fresh install before the setup wizard is completed, all management endpoints are completely unauthenticated. An attacker can create a newsletter agent, point the custom template directory to an attacker-controlled SMB share serving a malicious Mako template, and trigger execution via the newsletter render endpoint, all with zero credentials and no local access to the target system. On a completed install with credentials configured, the same chain is exploitable by any admin. Version 2.17.1 fixes the issue.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 06/04/2026
Tautulli serves as a comprehensive monitoring and tracking solution for Plex Media Server environments, providing administrators with detailed analytics and notification capabilities. The vulnerability affects versions prior to 2.17.1 and represents a critical remote code execution flaw that exploits multiple authentication bypass mechanisms within the application's newsletter functionality. This vulnerability stems from insufficient input validation and improper access controls that allow unauthorized users to manipulate the newsletter agent configuration, creating a dangerous attack vector that can be exploited from any network location without requiring local system access or prior authentication credentials.
The technical exploitation chain begins with the ability to create newsletter agents through unauthenticated endpoints that remain accessible during the initial setup phase of fresh installations. This fundamental flaw aligns with CWE-285, which addresses improper authorization issues in software systems, and represents a classic case of insufficient access control validation. Attackers can leverage this vulnerability by configuring the custom template directory to point toward an attacker-controlled SMB share, which then serves a malicious Mako template designed to execute arbitrary code on the target system. The vulnerability specifically targets the newsletter render endpoint, which processes these templates without adequate sanitization or validation, creating a direct path for code execution.
The operational impact of this vulnerability extends beyond simple remote code execution to encompass complete system compromise and potential lateral movement within network environments. An attacker who successfully exploits this vulnerability can gain full control over the Tautulli server, potentially using it as a foothold to access other systems within the same network infrastructure. This scenario particularly concerns organizations that rely on Plex Media Server for entertainment or business purposes, as the compromised Tautulli instance could serve as a pivot point for broader network infiltration. The vulnerability also violates ATT&CK technique T1059.001, which covers command and script interpreters, as the malicious templates can execute arbitrary commands through the Mako template engine.
The exploitation process requires minimal privileges and no local system access, making it particularly dangerous for environments where Tautulli is deployed without proper network segmentation or firewall restrictions. Even after initial setup completion, the vulnerability remains exploitable by authenticated administrators who can leverage their credentials to manipulate the newsletter configuration, demonstrating how authentication bypasses can compound security issues in complex applications. The fix implemented in version 2.17.1 addresses these issues through proper access controls, input validation, and authentication enforcement for all management endpoints, ensuring that only authorized users with appropriate privileges can configure newsletter agents or modify template directories. This remediation aligns with security best practices outlined in OWASP Top Ten and NIST cybersecurity frameworks, which emphasize the importance of principle of least privilege and proper input validation to prevent exploitation of similar vulnerabilities. Organizations should immediately upgrade to version 2.17.1 or later to mitigate this critical risk, as the vulnerability can be exploited from any network location without requiring physical access or specialized credentials beyond what might be available through the initial setup process.