CVE-2026-31804
Received Received - Intake
Server-Side Request Forgery in Tautulli /pms_image_proxy Endpoint

Publication date: 2026-03-30

Last updated on: 2026-04-14

Assigner: GitHub, Inc.

Description
Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.0, the /pms_image_proxy endpoint accepts a user-supplied img parameter and forwards it to Plex Media Server's /photo/:/ transcode transcoder without authentication and without restricting the scheme or host. The endpoint is intentionally excluded from all authentication checks in webstart.py, any value of img beginning with http is passed directly to Plex, this causes the Plex Media Server process, which typically runs on the same host or internal network as Tautulli, with access to RFC-1918 address space, to issue an outbound HTTP request to any attacker-specified URL. This issue has been patched in version 2.17.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-30
Last Modified
2026-04-14
Generated
2026-06-16
AI Q&A
2026-03-30
EPSS Evaluated
2026-06-14
NVD
CVE-2026-31804
EUVD
EUVD-2026-17190
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tautulli tautulli to 2.17.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

Immediate mitigation steps include restricting the img parameter to only allow relative internal Plex library paths, such as those starting with /library/.

Reject any URLs containing schemes (like http) or external hostnames in the img parameter.

If external web image proxying is necessary, enforce a strict allowlist of permitted origins.

Upgrade Tautulli to version 2.17.0 or later, where this vulnerability has been patched.

Executive Summary

CVE-2026-31804 is a Server-Side Request Forgery (SSRF) vulnerability in the Tautulli application's /pms_image_proxy endpoint. This endpoint accepts a user-supplied img parameter and forwards it to the Plex Media Server's /photo/:/transcode transcoder without any authentication or validation of the URL scheme or host.

Because the endpoint is excluded from authentication checks, an attacker can supply any URL starting with http, causing the Plex Media Server, which usually runs on the same host or internal network as Tautulli, to make outbound HTTP requests to attacker-specified URLs or internal network addresses.

This allows attackers to probe internal hosts, enumerate internal services, and gather information such as Plex's version string via out-of-band interactions, despite the SSRF being 'blind' (limited response data).

Impact Analysis

This vulnerability can impact you by allowing an unauthenticated attacker to make the Plex Media Server perform arbitrary HTTP requests to internal network resources or attacker-controlled URLs.

  • Attackers can probe internal hosts and services that are normally inaccessible from outside the network.
  • Attackers can perform internal service enumeration and gather sensitive information such as Plex version details.
  • This can lead to information disclosure about your internal network and potentially aid further attacks.
Detection Guidance

This vulnerability can be detected by attempting to probe the /pms_image_proxy endpoint with crafted HTTP requests that include the img parameter pointing to internal or attacker-controlled URLs.

  • Use a command like: curl 'http://TAUTULLI:8181/pms_image_proxy?img=http://192.168.1.1/' to test if the Plex Media Server forwards the request.
  • Check Plex server logs for evidence of forwarded requests to internal or external URLs.
  • Perform timing analysis on the responses to identify open internal TCP ports or services.

Note that the SSRF is blind, so only HTTP 200/201 responses from Plex return data, making detection more complex.

Compliance Impact

The vulnerability described is a Server-Side Request Forgery (SSRF) in Tautulli that allows unauthenticated attackers to cause the Plex Media Server to make arbitrary HTTP requests to internal or attacker-controlled URLs. This can lead to information disclosure about internal network resources.

While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, the ability for an attacker to probe internal network services and potentially access sensitive information could pose risks to data confidentiality and privacy.

Therefore, organizations using vulnerable versions of Tautulli might face challenges in maintaining compliance with regulations that require protection of sensitive data and internal network security, such as GDPR and HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31804. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart