HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-41065Published Modified CNA GitHub_M

CVE-2026-41065: Tautulli Vulnerable to Unauthenticated/Authenticated Remote Code Execution via Newsletter Custom Template Directory

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Versions prior to 2.17.1 are vulnerable to remote code execution via the newsletter custom template directory feature. On a fresh install before the setup wizard is completed, all management endpoints are completely unauthenticated. An attacker can create a newsletter agent, point the custom template directory to an attacker-controlled SMB share serving a malicious Mako template, and trigger execution via the newsletter render endpoint, all with zero credentials and no local access to the target system. On a completed install with credentials configured, the same chain is exploitable by any admin. Version 2.17.1 fixes the issue.

Metrics

CVSS v4.0
8.9
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A remote code execution vulnerability exists in Tautulli, a Python-based monitoring tool for Plex Media Server, affecting all versions prior to 2.17.1. The flaw is reachable over the network and, on a fresh install before the setup wizard is completed, requires no credentials whatsoever; on a completed install, any admin account is sufficient to trigger it. Successful exploitation gives an attacker full code execution on the host running Tautulli. No fix version has been published upstream yet, and HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection of CVE-2026-41065 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images in connected registries and CI pipelines, including custom-built images that bundle Tautulli. Any image found to carry an affected version of Tautulli (prior to 2.17.1) is flagged immediately.

Available
Triage

HarborGuard scores this CVE at 8.9 HIGH using the published CVSS v4.0 vector and surfaces it accordingly in each customer environment's findings queue. Per-environment compliance policy weighting is applied automatically, and the finding is routed to the team or inbox designated by each organization's alert-routing configuration.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available the moment version 2.17.1 or a later fixed release is confirmed upstream. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be initiated automatically at that point, subject to each environment's compliance policy.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable newsletter render endpoint is exposed over the network, so an attacker must be able to reach the Tautulli HTTP interface from the internet or local network.

  • AuthenticationNot required

    On a fresh install before the setup wizard is completed, all management endpoints are fully unauthenticated, meaning no credentials of any kind are needed to execute the full attack chain.

  • Victim interactionNot required

    The attacker triggers execution entirely by calling the newsletter render endpoint directly; no user action or click is required.

  • Attack complexityDetail

    The exploit is reliable and condition-free once the attacker can reach the service, with no race conditions, memory layout dependencies, or other environmental factors to overcome.

Blast Radius

  • The attacker executes arbitrary code in the security context of the Tautulli process on the host, giving them the ability to run any command available to that user.
  • All data accessible to the Tautulli process is exposed, including Plex authentication tokens, API keys, and any stored user or playback history records.
  • The attacker can modify or delete Tautulli configuration, logs, and persisted data on disk.
  • The running Tautulli service can be crashed or made unavailable, interrupting monitoring and alerting for the associated Plex Media Server.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix has been published for CVE-2026-41065 as of the publication date, HarborGuard continuously re-checks the advisory on every ingest cycle. The moment version 2.17.1 or a confirmed patched release is published upstream, a rebuilt image at that version becomes available, and for customers who opt into auto-remediation, the pipeline automatically rebuilds the image, runs the regression test suite, and opens a PR against affected workloads, subject to each environment's compliance policy. In the interim, compensating controls are worth considering: network policy rules that restrict inbound access to the Tautulli HTTP port to trusted source addresses, egress filtering to block outbound SMB (port 445) connections that the exploit relies on to fetch the malicious Mako template from an attacker-controlled share, and ensuring the Tautulli setup wizard is completed immediately on any new deployment so that the unauthenticated-endpoint window is closed as quickly as possible. HarborGuard will surface the finding in each environment's queue and update status automatically when a fix becomes patchable.

See how HarborGuard automates this
Affected packages
  • Tautulli / Tautulli
    < 2.17.1
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
References