CVE-2026-43985: Critical CSRF Vulnerability in Tautulli Admin Endpoint Allows Credential Hijacking
Tautulli, a Python-based tool that monitors and manages Plex Media Server, contains a critical flaw in how it handles administrator settings changes. In versions before 2.17.1, an attacker can trick a logged-in administrator into visiting a malicious webpage, which silently changes the Tautulli admin username and password without the administrator's knowledge or consent. Once the credentials are changed, the attacker can log in directly and gain complete control of the Tautulli interface. This is a straightforward but dangerous type of attack that exploits the trust between a user's browser and the Tautulli server.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-352
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Versions prior to 2.17.1 expose `configUpdate` as a state-changing administrator endpoint, but the route does not enforce `POST` and does not use any anti-CSRF token. In the default form and JWT-based authentication mode, the administrator session cookie is issued with `SameSite=Lax`, which still permits top-level cross-site navigation requests. An attacker can exploit this by luring a logged-in administrator to a malicious page that submits a cross-site request to `/configUpdate` and overwrites the local administrator username and password. The attacker can then sign in directly with the chosen credentials and take over the Tautulli administrative interface. Version 2.17.1 patches the issue.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-43985 is a cross-site request forgery (CSRF) vulnerability in Tautulli's `/configUpdate` endpoint. The flaw combines three security gaps: first, the endpoint accepts both GET and POST requests but lacks request-method validation; second, no CSRF token (such as a nonce or state parameter) is required; and third, the administrator session cookie uses `SameSite=Lax`, which permits top-level cross-site navigation requests that carry the cookie. An attacker can craft HTML that submits a form to `/configUpdate` from an attacker-controlled domain. When a logged-in administrator visits that page, their browser automatically includes their session cookie, allowing the form to execute and overwrite the admin credentials. The vulnerability is classified under CWE-352 (Cross-Site Request Forgery).
Business impact
Successful exploitation leads to immediate unauthorized administrative access to the Tautulli instance. An attacker can modify configuration settings, access or delete media libraries, alter user permissions, or extract sensitive information about the Plex server setup and content. For organizations relying on Tautulli to manage multi-user Plex deployments, this represents a complete loss of administrative control and audit trail integrity. The attack requires only social engineering—no special network positioning or zero-day exploit code—making it a practical risk even in air-gapped or restricted environments if an administrator can be directed to an external website.
Affected systems
Tautulli versions prior to 2.17.1 are affected. The vulnerability applies to all deployment scenarios where Tautulli's default authentication is in use (both form-based and JWT-based modes) and where an administrator might visit untrusted websites while logged in. Self-hosted Plex Media Server administrators running Tautulli for monitoring and user management are the primary target.
Exploitability
This vulnerability has a high exploitability rating. The attack requires only user interaction (luring an administrator to a malicious page) and no special privileges or complex technical setup. An attacker can host a simple HTML form on any website and use phishing, social engineering, or ad networks to drive traffic. The CVSS 3.1 score of 8.8 (HIGH severity, with vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) reflects the network attack vector, low attack complexity, lack of required privileges, and the requirement for user interaction—balanced against the high impact to confidentiality, integrity, and availability of the Tautulli administrative interface.
Remediation
Upgrade Tautulli to version 2.17.1 or later immediately. The patch enforces strict HTTP method validation on state-changing endpoints, implements CSRF token protection, and updates session cookie attributes to use `SameSite=Strict` where appropriate. Organizations unable to upgrade immediately should restrict network access to the Tautulli web interface (e.g., via firewall rules, reverse proxy authentication, or VPN) and educate administrators to avoid visiting untrusted websites while logged into Tautulli. Consider implementing a WAF rule that blocks POST requests to `/configUpdate` from external origins if immediate patching is delayed.
Patch guidance
Verify that your Tautulli installation is running version 2.17.1 or later by checking the About or Settings page within the Tautulli interface, or reviewing the release notes at the Tautulli project repository. If you are on a version prior to 2.17.1, apply the update through your package manager (e.g., pip, Docker, or native installer for your platform). Test the update in a non-production environment if possible to confirm no configuration data is lost. After upgrading, log out and log back in to refresh your session with the new security attributes.
Detection guidance
Monitor Tautulli access logs and reverse proxy logs for unusual POST requests to `/configUpdate` originating from outside your organization or from unexpected referrers. Look for rapid changes to administrator credentials or configuration settings, especially outside of normal maintenance windows. If you suspect exploitation, review authentication logs for unexpected login attempts immediately following suspicious POST requests. Consider enabling verbose logging in Tautulli (if available) to capture API calls and configuration changes. A SIEM rule monitoring for `/configUpdate` POST requests with a non-same-origin Referer header would be a useful preventive indicator.
Why prioritize this
This vulnerability merits immediate prioritization because it requires only user interaction to grant an attacker full administrative control over a Tautulli instance, bypassing all permission checks. The attack is trivial to execute and scales easily through social engineering. The CVSS 8.8 score and the ease of exploitation make this a critical security issue that should be patched as soon as operationally feasible. Any organization running Tautulli as a central Plex management tool should treat this as a top-tier remediation target.
Risk score, explained
The CVSS 3.1 score of 8.8 reflects a HIGH severity vulnerability with network accessibility (AV:N), low attack complexity (AC:L), no special privileges required (PR:N), and a requirement for user interaction (UI:R). The impact is high across all three security dimensions—confidentiality, integrity, and availability—because successful exploitation grants unrestricted administrative access. The score appropriately captures the ease of exploitation balanced against the severity of the outcome, but the practical risk may be higher in environments where Tautulli admins are frequently browsing the web or where social engineering is particularly effective.
Frequently asked questions
Can this vulnerability be exploited if the administrator is not actively using Tautulli when the malicious page is visited?
Yes. The vulnerability does not require active use of Tautulli—only that the administrator's browser has a valid session cookie for the Tautulli instance. As long as the session cookie exists and has not expired, visiting a malicious page can trigger the `/configUpdate` request. Clearing cookies or logging out of Tautulli before visiting untrusted sites is a temporary mitigation.
Does upgrading to 2.17.1 require me to reconfigure Tautulli or reset my settings?
No. The patch addresses the security vulnerability without affecting your existing configuration or settings. Your monitored Plex servers, user data, and preferences should remain intact after upgrading. As a best practice, back up your Tautulli configuration file before upgrading, but a reset should not be necessary.
If I restrict access to Tautulli to my local network only, am I protected from this attack?
Network restriction significantly reduces risk because the attacker cannot reach the Tautulli endpoint directly from the internet. However, the vulnerability can still be exploited if an administrator accesses Tautulli over the internet (e.g., via a reverse proxy or port forwarding) or if an attacker gains access to the internal network. Patching remains the most reliable mitigation.
What should I do if I suspect this vulnerability has already been exploited?
Immediately change all Tautulli administrative credentials and any linked credentials (if Tautulli is integrated with other services). Review access logs and configuration change history for unauthorized modifications. Check for any rogue user accounts or library access changes. Force a logout of all sessions and re-authenticate. If Plex server integration is present, verify that no malicious changes were propagated to the Plex instance itself. Finally, upgrade to version 2.17.1 to prevent future exploitation.
This analysis is provided for informational purposes and reflects the vulnerability details as of the publication date. SEC.co makes no warranty regarding the completeness or accuracy of third-party vendor patches or update timelines. Organizations should independently verify patch applicability and test updates in a non-production environment before deployment. The attack scenarios described are based on the CVE description and known CSRF attack patterns; actual exploitation may vary. Users are responsible for maintaining backups, monitoring their systems, and following their organization's change management and security policies. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-35266HIGHOracle REST Data Services Authentication & Data Integrity Vulnerability
- CVE-2018-25387MEDIUMHaPe PKH 1.1 Cross-Site Request Forgery (CSRF) Admin Password Reset
- CVE-2018-25397MEDIUMCSRF Vulnerability in PHP-SHOP 1.0 – Admin Account Injection
- CVE-2018-25435MEDIUMZeusCart 4.0 CSRF Vulnerability – Account Deactivation Risk
- CVE-2026-11020MEDIUMChrome Extension XML Cross-Origin Data Leak – Patch to 149.0.7827.53
- CVE-2026-34460MEDIUMNamelessMC OAuth State Validation Flaw Enables Session Hijacking
- CVE-2026-4071MEDIUMBirdSeed WordPress Plugin CSRF Vulnerability – Patch & Detection Guide
- CVE-2026-42073MEDIUMOpenClaude OAuth State Validation Bypass Denial of Service