CVE-2026-31799
SQL Injection in Tautulli API Allows Admin Data Exfiltration
Publication date: 2026-03-30
Last updated on: 2026-04-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tautulli | tautulli | From 2.1.0 (inc) to 2.17.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Tautulli to version 2.17.0 or later, where this vulnerability has been patched.
The patch replaces unsafe Python %-string formatting with parameterized SQLite queries to prevent SQL injection.
If upgrading is not immediately possible, restrict access to the Tautulli admin API key to trusted users only, as exploitation requires admin API key privileges.
Additionally, monitor and audit API usage for suspicious requests that may indicate exploitation attempts.
Can you explain this vulnerability to me?
CVE-2026-31799 is a SQL Injection vulnerability in the Tautulli application's `/api/v2?cmd=get_home_stats` API endpoint. The vulnerability occurs because the endpoint directly inserts the query parameters `section_id`, `user_id`, `before`, and `after` into SQL queries using Python's `%`-string formatting without proper parameterization or sanitization.
This means that an attacker who has the Tautulli admin API key can manipulate these parameters to inject arbitrary SQL code into the database query. This injection allows the attacker to exfiltrate sensitive data from the Tautulli SQLite database by using boolean-blind inference techniques.
The vulnerability affects Tautulli versions from 2.1.0-beta to before 2.17.0, and it has been patched in version 2.17.0 by replacing unsafe string formatting with parameterized queries.
How can this vulnerability impact me? :
If exploited, this vulnerability allows an attacker with a valid Tautulli admin API key to perform boolean-blind SQL injection attacks to stealthily extract sensitive information from the Tautulli SQLite database.
- Exfiltration of Plex Media Server API tokens (`users.server_token`).
- Exfiltration of Plex.tv OAuth tokens (`users.user_token`).
- Access to complete watch history (`session_history.*`).
- Access to login audit logs including IP addresses and user agents (`user_login.ip_address` and `user_login.user_agent`).
Although exploitation requires admin API key access, which already grants significant control, this vulnerability increases the risk of undetected data theft of sensitive authentication tokens and user data.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the /api/v2?cmd=get_home_stats endpoint of the Tautulli server for SQL injection in the parameters section_id, user_id, before, and after.
An attacker or tester with a valid Tautulli admin API key can attempt to inject SQL payloads into these parameters and observe the responses for signs of SQL injection.
Example curl commands to test for injection include:
- Valid request: curl -s "http://TAUTULLI:8181/api/v2?cmd=get_home_stats&apikey=APIKEY§ion_id=0"
- Injection causing SQL syntax error: curl -s "http://TAUTULLI:8181/api/v2?cmd=get_home_stats&apikey=APIKEY§ion_id=0+SQLI_PROOF"
- Boolean TRUE injection (returns data): curl -s "http://TAUTULLI:8181/api/v2?cmd=get_home_stats&apikey=APIKEY§ion_id=999999+OR+1=1"
- Boolean FALSE injection (causes error): curl -s "http://TAUTULLI:8181/api/v2?cmd=get_home_stats&apikey=APIKEY§ion_id=999999+OR+1=2"
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-31799 allows an attacker with a valid Tautulli admin API key to perform boolean-blind SQL injection and exfiltrate sensitive data from the SQLite database, including Plex Media Server API tokens, Plex.tv OAuth tokens, complete watch history, and login audit logs such as IP addresses and user agents.
The exposure of such sensitive personal and authentication data could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require the protection of personal and sensitive information against unauthorized access and exfiltration.
Since exploitation requires admin API key access, which already grants high privileges, the vulnerability primarily increases the risk of stealthy data exfiltration, potentially undermining compliance efforts related to data confidentiality and security controls mandated by these standards.