CVE-2026-43986 in Tautulli
Summary
by MITRE • 06/04/2026
Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Versions prior to 2.17.1 expose a public `/image/` route that resolves attacker-controlled entries from `image_hash_lookup` and replays them through the same server-side image fetch logic used by authenticated image proxying. A low-privilege guest user can seed a malicious external image URL into this lookup table and then trigger server-side fetches through a fully unauthenticated endpoint. This turns an authenticated SSRF primitive into a persistent unauthenticated SSRF gadget. Once the malicious hash entry exists, any external user can request `/image/.png` and cause the PMS or Tautulli host to fetch an arbitrary attacker-chosen URL. Version 2.17.1 patches the issue.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 06/04/2026
Tautulli serves as a monitoring and tracking solution for Plex Media Server environments, providing administrators with insights into media consumption patterns and system performance. The vulnerability exists within the application's handling of image resources through a public endpoint that was designed for legitimate image proxying functionality. This endpoint processes image requests through a lookup mechanism that was intended to provide efficient caching and retrieval of images from the Plex Media Server. However, the implementation failed to properly validate or sanitize external inputs that are stored in a lookup table, creating a persistent security flaw that affects all versions prior to 2.17.1.
The technical flaw manifests as a server-side request forgery vulnerability that leverages the image_hash_lookup mechanism to store attacker-controlled external URLs. When a guest user with minimal privileges accesses the system, they can inject malicious entries into this lookup table through the public `/image/` endpoint. This endpoint accepts unauthenticated requests and processes them through the same server-side logic that handles authenticated image proxying operations. The vulnerability stems from insufficient input validation and access controls that allow any user to manipulate the internal lookup table, effectively creating a persistent SSRF gadget that remains active even after the initial malicious user has left the system. The flaw specifically targets the image_hash_lookup functionality which was designed to store and retrieve image references but became a vector for arbitrary external resource fetching.
The operational impact of this vulnerability is significant as it transforms a previously limited authenticated SSRF primitive into a fully persistent unauthenticated SSRF capability. Once an attacker successfully seeds a malicious URL into the image_hash_lookup table, any external user can trigger the server-side fetch operation by requesting `/image/.png` without requiring any authentication credentials. This allows attackers to potentially access internal network resources that would normally be protected by firewalls or network segmentation, including internal services, databases, or other systems that are only accessible from the Tautulli server itself. The vulnerability can be exploited to perform reconnaissance activities, exfiltrate sensitive data, or even escalate the attack to compromise internal systems that are not directly exposed to the internet. The persistent nature of the vulnerability means that the malicious entries remain active until the system is restarted or the lookup table is manually cleared.
The vulnerability aligns with CWE-918, Server-Side Request Forgery, and follows patterns commonly identified in ATT&CK technique T1190, Exploit Public-Facing Application, and T1071.1004, Application Layer Protocol: DNS. The issue demonstrates how seemingly benign functionality can be weaponized when proper input validation and access controls are missing from the implementation. Organizations using Tautulli should immediately implement the patch released in version 2.17.1 which addresses the vulnerability by implementing proper input sanitization and access controls for the image_hash_lookup mechanism. Additional mitigations include network-level restrictions that limit access to the `/image/` endpoint, monitoring for unusual patterns in image request processing, and implementing proper authentication controls to prevent unauthorized users from accessing functionality that could be used to manipulate internal lookup tables. The vulnerability underscores the importance of validating all external inputs and implementing defense-in-depth strategies to prevent the exploitation of authenticated capabilities to create persistent unauthenticated attack vectors.