CVE-2026-28505
Received Received - Intake
Sandbox Bypass in Tautulli str_eval() Enables Code Injection

Publication date: 2026-03-30

Last updated on: 2026-04-02

Assigner: GitHub, Inc.

Description
Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.0, the str_eval() function in notification_handler.py implements a sandboxed eval() for notification text templates. The sandbox attempts to restrict callable names by inspecting code.co_names of the compiled code object. However, co_names only contains names from the outer code object. When a lambda expression is used, it creates a nested code object whose attribute accesses are stored in code.co_consts, NOT in code.co_names. The sandbox never inspects nested code objects. This issue has been patched in version 2.17.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-30
Last Modified
2026-04-02
Generated
2026-06-16
AI Q&A
2026-03-30
EPSS Evaluated
2026-06-15
NVD
CVE-2026-28505
EUVD
EUVD-2026-17184
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tautulli tautulli to 2.17.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-95 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-28505 is a remote code execution (RCE) vulnerability in Tautulli versions prior to 2.17.0, specifically in the str_eval() function within notification_handler.py. This function attempts to safely evaluate notification text templates using a sandboxed eval() that restricts callable names by inspecting the compiled code object's co_names attribute. However, this sandbox only checks the outer code object's co_names and ignores nested code objects created by lambda expressions, whose attribute accesses are stored in co_consts instead.

Because the sandbox does not inspect nested code objects, an attacker can craft a lambda expression that accesses forbidden attributes via the __globals__ attribute of a function passed in the template. This allows bypassing the whitelist and executing arbitrary OS commands on the server.

The vulnerability requires the NOTIFY_TEXT_EVAL feature to be enabled (which is off by default) and can be exploited by an attacker with admin access or via CSRF due to lack of CSRF protection on admin endpoints.

Impact Analysis

This vulnerability can lead to remote code execution on the server running Tautulli, allowing an attacker to execute arbitrary operating system commands. This can compromise the server's security, potentially leading to data theft, service disruption, or further attacks within the network.

Exploitation requires either administrative access or the ability to perform a cross-site request forgery (CSRF) attack due to missing CSRF protections on admin endpoints. Additionally, if API keys are leaked, unauthenticated remote code execution may be possible.

Detection Guidance

This vulnerability is related to the evaluation of notification text templates in Tautulli versions up to 2.16.1, specifically when the NOTIFY_TEXT_EVAL feature is enabled. Detection involves identifying if your Tautulli installation is running a vulnerable version and if the vulnerable feature is enabled.

To detect if your system is vulnerable, first check the Tautulli version:

  • Run a command to check the installed Tautulli version, for example: `tautulli --version` or check the version in the Tautulli web interface.

If the version is 2.16.1 or earlier, the system is vulnerable unless patched.

To detect exploitation attempts or suspicious activity related to this vulnerability, monitor logs for notification templates containing suspicious lambda expressions or unusual eval usage. For example, search logs for patterns like `(lambda f:` or `__globals__` which are indicators of exploit attempts.

  • Example command to search logs for suspicious patterns: `grep -rE '\(lambda f:|__globals__' /path/to/tautulli/logs/`

Additionally, monitor for unexpected OS command executions or unusual system behavior on the server running Tautulli.

Mitigation Strategies

The primary and immediate mitigation step is to upgrade Tautulli to version 2.17.0 or later, where this vulnerability has been fixed.

  • Upgrade Tautulli to version 2.17.0 or newer.

If upgrading immediately is not possible, disable the NOTIFY_TEXT_EVAL feature, which enables the vulnerable evaluation of notification text templates.

  • Disable the NOTIFY_TEXT_EVAL feature in the Tautulli configuration.

Restrict administrative access to the Tautulli server to trusted users only, as exploitation requires admin access or CSRF on admin endpoints.

  • Limit admin access and ensure CSRF protections are in place.

Monitor and audit logs for suspicious activity related to this vulnerability.

Compliance Impact

The vulnerability CVE-2026-28505 allows remote code execution (RCE) on the affected Tautulli server, which can lead to unauthorized access and control over the system.

Such unauthorized access and potential data compromise can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over data confidentiality, integrity, and system security.

Specifically, the ability for an attacker to execute arbitrary OS commands could lead to exposure or manipulation of sensitive personal or health data, violating regulatory requirements.

Therefore, organizations using vulnerable versions of Tautulli prior to 2.17.0 may face increased risk of non-compliance with these standards until the vulnerability is patched.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28505. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart