CVE-2026-31799
Received Received - Intake
SQL Injection in Tautulli API Allows Admin Data Exfiltration

Publication date: 2026-03-30

Last updated on: 2026-04-02

Assigner: GitHub, Inc.

Description
Tautulli is a Python based monitoring and tracking tool for Plex Media Server. From version 2.14.2 to before version 2.17.0 for parameters "before" and "after" and from version 2.1.0-beta to before version 2.17.0 for parameters "section_id" and "user_id", the /api/v2?cmd=get_home_stats endpoint passes the section_id, user_id, before, and after query parameters directly into SQL via Python %-string formatting without parameterization. An attacker who holds the Tautulli admin API key can inject arbitrary SQL and exfiltrate any value from the Tautulli SQLite database via boolean-blind inference. This issue has been patched in version 2.17.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-30
Last Modified
2026-04-02
Generated
2026-06-16
AI Q&A
2026-03-30
EPSS Evaluated
2026-06-15
NVD
CVE-2026-31799
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tautulli tautulli From 2.1.0 (inc) to 2.17.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

The immediate mitigation step is to upgrade Tautulli to version 2.17.0 or later, where this vulnerability has been patched.

The patch replaces unsafe Python %-string formatting with parameterized SQLite queries to prevent SQL injection.

If upgrading is not immediately possible, restrict access to the Tautulli admin API key to trusted users only, as exploitation requires admin API key privileges.

Additionally, monitor and audit API usage for suspicious requests that may indicate exploitation attempts.

Compliance Impact

CVE-2026-31799 allows an attacker with a valid Tautulli admin API key to perform boolean-blind SQL injection and exfiltrate sensitive data from the SQLite database, including Plex Media Server API tokens, Plex.tv OAuth tokens, complete watch history, and login audit logs such as IP addresses and user agents.

The exposure of such sensitive personal and authentication data could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require the protection of personal and sensitive information against unauthorized access and exfiltration.

Since exploitation requires admin API key access, which already grants high privileges, the vulnerability primarily increases the risk of stealthy data exfiltration, potentially undermining compliance efforts related to data confidentiality and security controls mandated by these standards.

Executive Summary

CVE-2026-31799 is a SQL Injection vulnerability in the Tautulli application's `/api/v2?cmd=get_home_stats` API endpoint. The vulnerability occurs because the endpoint directly inserts the query parameters `section_id`, `user_id`, `before`, and `after` into SQL queries using Python's `%`-string formatting without proper parameterization or sanitization.

This means that an attacker who has the Tautulli admin API key can manipulate these parameters to inject arbitrary SQL code into the database query. This injection allows the attacker to exfiltrate sensitive data from the Tautulli SQLite database by using boolean-blind inference techniques.

The vulnerability affects Tautulli versions from 2.1.0-beta to before 2.17.0, and it has been patched in version 2.17.0 by replacing unsafe string formatting with parameterized queries.

Impact Analysis

If exploited, this vulnerability allows an attacker with a valid Tautulli admin API key to perform boolean-blind SQL injection attacks to stealthily extract sensitive information from the Tautulli SQLite database.

  • Exfiltration of Plex Media Server API tokens (`users.server_token`).
  • Exfiltration of Plex.tv OAuth tokens (`users.user_token`).
  • Access to complete watch history (`session_history.*`).
  • Access to login audit logs including IP addresses and user agents (`user_login.ip_address` and `user_login.user_agent`).

Although exploitation requires admin API key access, which already grants significant control, this vulnerability increases the risk of undetected data theft of sensitive authentication tokens and user data.

Detection Guidance

This vulnerability can be detected by testing the /api/v2?cmd=get_home_stats endpoint of the Tautulli server for SQL injection in the parameters section_id, user_id, before, and after.

An attacker or tester with a valid Tautulli admin API key can attempt to inject SQL payloads into these parameters and observe the responses for signs of SQL injection.

Example curl commands to test for injection include:

  • Valid request: curl -s "http://TAUTULLI:8181/api/v2?cmd=get_home_stats&apikey=APIKEY&section_id=0"
  • Injection causing SQL syntax error: curl -s "http://TAUTULLI:8181/api/v2?cmd=get_home_stats&apikey=APIKEY&section_id=0+SQLI_PROOF"
  • Boolean TRUE injection (returns data): curl -s "http://TAUTULLI:8181/api/v2?cmd=get_home_stats&apikey=APIKEY&section_id=999999+OR+1=1"
  • Boolean FALSE injection (causes error): curl -s "http://TAUTULLI:8181/api/v2?cmd=get_home_stats&apikey=APIKEY&section_id=999999+OR+1=2"
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31799. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart