Cross-Site Request Forgery Vulnerability in Tautulli by Tautulli
CVE-2026-43985

8.8HIGH

Key Information:

Vendor: Tautulli
Status: Tautulli
Vendor: CVE Published:; 4 June 2026

What is CVE-2026-43985?

Tautulli, a monitoring tool for Plex Media Server, contains a vulnerability that allows attackers to exploit the 'configUpdate' endpoint. This security flaw stems from the lack of 'POST' enforcement and the absence of anti-CSRF tokens, making the endpoint exposed to unauthorized state changes. If a logged-in administrator is tricked into visiting a malicious site, the attacker can execute cross-site requests that modify the administrator's credentials. This can lead to unauthorized access to the Tautulli administrative interface. The vulnerability has been addressed in version 2.17.1, which provides the necessary security enhancements.

Affected Version(s)

Tautulli < 2.17.1

References

https://github.com/Tautulli/Tautulli/security/advisories/...

x_refsource_CONFIRM

https://github.com/Tautulli/Tautulli/releases/tag/v2.17.1

x_refsource_MISC

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 4, 2026
Vulnerability Reserved
May 4, 2026

CVE-2026-43985 Data

JSON