HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-43985Published Modified CNA GitHub_M

CVE-2026-43985: Taultulli has CSRF in /configUpdate via missing anti-CSRF and method restriction that allows admin credential takeover

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Versions prior to 2.17.1 expose `configUpdate` as a state-changing administrator endpoint, but the route does not enforce `POST` and does not use any anti-CSRF token. In the default form and JWT-based authentication mode, the administrator session cookie is issued with `SameSite=Lax`, which still permits top-level cross-site navigation requests. An attacker can exploit this by luring a logged-in administrator to a malicious page that submits a cross-site request to `/configUpdate` and overwrites the local administrator username and password. The attacker can then sign in directly with the chosen credentials and take over the Tautulli administrative interface. Version 2.17.1 patches the issue.

Metrics

CVSS v3.1
8.8
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Cross-site request forgery (CSRF) in Tautulli allows a remote attacker to overwrite the administrator username and password without any prior authentication. The attack is delivered over the network and requires a logged-in Tautulli administrator to visit a malicious page, which then silently submits a crafted request to the unprotected /configUpdate endpoint. Successful exploitation gives the attacker full administrative access to the Tautulli interface. No fix version has been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as an upstream fix is released.

HarborGuard Coverage

Detection

Detection of CVE-2026-43985 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Tautulli, in both registry scans and CI/CD pipeline checks.

Available
Triage

Triage is available with the CVSS v3.1 score of 8.8 (HIGH) applied automatically; per-environment compliance policy weighting can escalate or adjust priority, and the finding is routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

Because no fix version has been published upstream, HarborGuard re-evaluates this advisory on every ingest cycle and will make a patched-image rebuild available the moment Tautulli 2.17.1 or a later fix release is published. For customers who opt into auto-remediation, the rebuild, regression test run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker delivers the malicious page over the network and the cross-site request targets a Tautulli instance reachable from the victim's browser, so network exposure is necessary for the attack to succeed.

  • AuthenticationNot required

    The attacker needs no credentials of their own; the attack piggybacks on the victim administrator's existing authenticated session cookie.

  • Victim interactionRequired

    A logged-in Tautulli administrator must be lured to visit a malicious web page that issues the cross-site request, making social engineering a prerequisite.

  • Attack complexityDetail

    Exploit conditions are straightforward and require no race conditions or special environmental setup; a simple malicious page is sufficient to trigger the request.

Blast Radius

  • Attacker overwrites the Tautulli administrator username and password with attacker-chosen values.
  • Attacker then signs in directly with the new credentials and controls the full Tautulli administrative interface.
  • From the admin interface, the attacker can read Plex library metadata, playback history, and any stored API tokens or integration credentials configured in Tautulli.
  • The attacker can modify Tautulli notification agents, webhooks, and scripts, enabling further lateral movement or persistent access into connected systems.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists yet for CVE-2026-43985, HarborGuard continuously re-checks the advisory on every ingest cycle. The moment Tautulli publishes a patched release, a rebuilt image at that version becomes available, and for customers with auto-remediation enabled, the pipeline will automatically trigger a rebuild, run regression tests, and open a PR against affected workloads. In the interim, compensating controls worth considering include isolating Tautulli instances behind a network policy that restricts inbound access to trusted internal addresses only, adding an authenticating reverse proxy that enforces strict origin validation on state-changing requests, and reviewing whether the Tautulli instance needs to be reachable from a browser context that also visits untrusted external sites. HarborGuard will surface the fix-version rebuild in the same pipeline flow the moment upstream availability is confirmed.

See how HarborGuard automates this
Affected packages
  • Tautulli / Tautulli
    < 2.17.1
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
References