What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include restricting the img parameter to only allow relative internal Plex library paths, such as those starting with /library/.

Reject any URLs containing schemes (like http) or external hostnames in the img parameter.

If external web image proxying is necessary, enforce a strict allowlist of permitted origins.

Upgrade Tautulli to version 2.17.0 or later, where this vulnerability has been patched.

Useful 0 Not Useful 0

Can you explain this vulnerability to me?

CVE-2026-31804 is a Server-Side Request Forgery (SSRF) vulnerability in the Tautulli application's /pms_image_proxy endpoint. This endpoint accepts a user-supplied img parameter and forwards it to the Plex Media Server's /photo/:/transcode transcoder without any authentication or validation of the URL scheme or host.

Because the endpoint is excluded from authentication checks, an attacker can supply any URL starting with http, causing the Plex Media Server, which usually runs on the same host or internal network as Tautulli, to make outbound HTTP requests to attacker-specified URLs or internal network addresses.

This allows attackers to probe internal hosts, enumerate internal services, and gather information such as Plex's version string via out-of-band interactions, despite the SSRF being 'blind' (limited response data).

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can impact you by allowing an unauthenticated attacker to make the Plex Media Server perform arbitrary HTTP requests to internal network resources or attacker-controlled URLs.

• Attackers can probe internal hosts and services that are normally inaccessible from outside the network.
• Attackers can perform internal service enumeration and gather sensitive information such as Plex version details.
• This can lead to information disclosure about your internal network and potentially aid further attacks.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by attempting to probe the /pms_image_proxy endpoint with crafted HTTP requests that include the img parameter pointing to internal or attacker-controlled URLs.

• Use a command like: curl 'http://TAUTULLI:8181/pms_image_proxy?img=http://192.168.1.1/' to test if the Plex Media Server forwards the request.
• Check Plex server logs for evidence of forwarded requests to internal or external URLs.
• Perform timing analysis on the responses to identify open internal TCP ports or services.

Note that the SSRF is blind, so only HTTP 200/201 responses from Plex return data, making detection more complex.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability described is a Server-Side Request Forgery (SSRF) in Tautulli that allows unauthenticated attackers to cause the Plex Media Server to make arbitrary HTTP requests to internal or attacker-controlled URLs. This can lead to information disclosure about internal network resources.

While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, the ability for an attacker to probe internal network services and potentially access sensitive information could pose risks to data confidentiality and privacy.

Therefore, organizations using vulnerable versions of Tautulli might face challenges in maintaining compliance with regulations that require protection of sensitive data and internal network security, such as GDPR and HIPAA.

Useful 0 Not Useful 0