Executive Summary

CVE-2026-31831 is an unauthenticated path traversal vulnerability in the `/newsletter/image/images` API endpoint of Tautulli versions 2.16.1 and earlier.

The vulnerability occurs because the endpoint improperly handles user-supplied input used to build file paths, failing to block directory traversal sequences like `..`. This allows attackers to access files outside the intended directory on the server's filesystem.

Attackers can exploit this flaw without authentication by sending specially crafted HTTP requests with encoded traversal sequences to read arbitrary files.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have significant impacts because attackers can read sensitive files from the server.

• Attackers can exfiltrate the SQLite database `tautulli.db`, which contains active JWT tokens.
• They can also access the `config.ini` file, which holds the hashed admin password, JWT token secret, and Plex Media Server tokens and connection details.

With this information, attackers may crack the admin password or use valid JWT tokens to escalate privileges and gain administrative control over the Tautulli application.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for HTTP requests targeting the `/newsletter/image/images` API endpoint that include directory traversal sequences such as `..` or their encoded equivalents. Attackers exploit this by sending crafted requests to read arbitrary files from the server.

Proof-of-concept commands involve sending HTTP requests with encoded traversal sequences to retrieve sensitive files like `config.ini` or `tautulli.db`. For example, an attacker might use curl commands to request paths containing `..%2F` to attempt to access files outside the intended directory.

• Monitor web server logs for requests to `/newsletter/image/images` containing `..` or URL-encoded traversal patterns such as `%2E%2E%2F`.
• Use network monitoring tools or intrusion detection systems (IDS) to flag suspicious HTTP requests with directory traversal payloads targeting the vulnerable endpoint.
• Example curl command to test for the vulnerability (do not run on unauthorized systems): curl -v "http://<target>/newsletter/image/images?file=..%2F..%2Fconfig.ini"

Useful 0 Not Useful 0

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade Tautulli to version 2.17.0 or later, where the issue has been patched.

Until the upgrade can be performed, restrict access to the `/newsletter/image/images` API endpoint by implementing network-level controls such as firewall rules or web application firewall (WAF) rules to block unauthenticated requests.

Additionally, monitor logs for suspicious activity and consider rotating any potentially compromised credentials or tokens stored in the affected files.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows unauthenticated attackers to read arbitrary files from the server, including sensitive files such as the SQLite database containing active JWT tokens and configuration files with hashed admin passwords and Plex Media Server tokens.

This unauthorized access and potential exfiltration of sensitive authentication tokens and credentials could lead to administrative control over the application, resulting in a significant data breach.

Such a breach could compromise the confidentiality and integrity of personal data managed by the application, thereby impacting compliance with data protection regulations like GDPR and HIPAA, which require safeguarding sensitive information against unauthorized access.

Useful 0 Not Useful 0