CVE-2026-28505
Sandbox Bypass in Tautulli str_eval() Enables Code Injection
Publication date: 2026-03-30
Last updated on: 2026-04-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tautulli | tautulli | to 2.17.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
| CWE-95 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval"). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-28505 is a remote code execution (RCE) vulnerability in Tautulli versions prior to 2.17.0, specifically in the str_eval() function within notification_handler.py. This function attempts to safely evaluate notification text templates using a sandboxed eval() that restricts callable names by inspecting the compiled code object's co_names attribute. However, this sandbox only checks the outer code object's co_names and ignores nested code objects created by lambda expressions, whose attribute accesses are stored in co_consts instead.
Because the sandbox does not inspect nested code objects, an attacker can craft a lambda expression that accesses forbidden attributes via the __globals__ attribute of a function passed in the template. This allows bypassing the whitelist and executing arbitrary OS commands on the server.
The vulnerability requires the NOTIFY_TEXT_EVAL feature to be enabled (which is off by default) and can be exploited by an attacker with admin access or via CSRF due to lack of CSRF protection on admin endpoints.
How can this vulnerability impact me? :
This vulnerability can lead to remote code execution on the server running Tautulli, allowing an attacker to execute arbitrary operating system commands. This can compromise the server's security, potentially leading to data theft, service disruption, or further attacks within the network.
Exploitation requires either administrative access or the ability to perform a cross-site request forgery (CSRF) attack due to missing CSRF protections on admin endpoints. Additionally, if API keys are leaked, unauthenticated remote code execution may be possible.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is related to the evaluation of notification text templates in Tautulli versions up to 2.16.1, specifically when the NOTIFY_TEXT_EVAL feature is enabled. Detection involves identifying if your Tautulli installation is running a vulnerable version and if the vulnerable feature is enabled.
To detect if your system is vulnerable, first check the Tautulli version:
- Run a command to check the installed Tautulli version, for example: `tautulli --version` or check the version in the Tautulli web interface.
If the version is 2.16.1 or earlier, the system is vulnerable unless patched.
To detect exploitation attempts or suspicious activity related to this vulnerability, monitor logs for notification templates containing suspicious lambda expressions or unusual eval usage. For example, search logs for patterns like `(lambda f:` or `__globals__` which are indicators of exploit attempts.
- Example command to search logs for suspicious patterns: `grep -rE '\(lambda f:|__globals__' /path/to/tautulli/logs/`
Additionally, monitor for unexpected OS command executions or unusual system behavior on the server running Tautulli.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability CVE-2026-28505 allows remote code execution (RCE) on the affected Tautulli server, which can lead to unauthorized access and control over the system.
Such unauthorized access and potential data compromise can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over data confidentiality, integrity, and system security.
Specifically, the ability for an attacker to execute arbitrary OS commands could lead to exposure or manipulation of sensitive personal or health data, violating regulatory requirements.
Therefore, organizations using vulnerable versions of Tautulli prior to 2.17.0 may face increased risk of non-compliance with these standards until the vulnerability is patched.
What immediate steps should I take to mitigate this vulnerability?
The primary and immediate mitigation step is to upgrade Tautulli to version 2.17.0 or later, where this vulnerability has been fixed.
- Upgrade Tautulli to version 2.17.0 or newer.
If upgrading immediately is not possible, disable the NOTIFY_TEXT_EVAL feature, which enables the vulnerable evaluation of notification text templates.
- Disable the NOTIFY_TEXT_EVAL feature in the Tautulli configuration.
Restrict administrative access to the Tautulli server to trusted users only, as exploitation requires admin access or CSRF on admin endpoints.
- Limit admin access and ensure CSRF protections are in place.
Monitor and audit logs for suspicious activity related to this vulnerability.