Executive Summary

CVE-2026-32275 is a high-severity vulnerability in Tautulli, a Python-based monitoring tool for Plex Media Server, affecting versions from 1.3.10 up to before 2.17.0.

The vulnerability arises because the JSONP callback parameter in the Tautulli API is not sanitized. This means that an attacker can inject arbitrary JavaScript code through this parameter.

Specifically, certain API commands like 'get_apikey', 'docs', and 'docs_md' bypass authentication, allowing unauthenticated access. When combined with the unsanitized callback, this enables two main exploits: arbitrary JavaScript injection and cross-origin API key theft.

• Arbitrary JavaScript Injection: An attacker can craft a URL that returns JavaScript containing malicious code, which executes in the victim's browser if loaded as a script.
• Cross-Origin API Key Theft: On installations without HTTP password protection, an attacker can steal the API key by injecting a callback that exfiltrates the key to an attacker-controlled server.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have serious impacts including unauthorized access and control over the Tautulli API.

• Execution of arbitrary JavaScript in users' browsers, potentially leading to session hijacking, data theft, or other malicious actions.
• Theft of the API key on unauthenticated installs, granting attackers full administrative access to the Tautulli API.
• Potential compromise of the Plex Media Server monitoring environment, including unauthorized data access or manipulation.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by sending crafted HTTP requests to the Tautulli API endpoints that use the JSONP callback parameter and observing the response for unsanitized JavaScript injection.

For example, you can use the following curl command to test if the server returns a JavaScript response with an unsanitized callback payload:

• curl -si 'http://TAUTULLI:8181/api/v2?cmd=docs&callback=alert(1)//' | grep -E 'Content-Type|^alert'

If the response includes 'Content-Type: application/javascript' and the injected alert(1) script, the vulnerability is present.

Additionally, if your Tautulli instance is unauthenticated (no HTTP password configured), you can test for API key theft by requesting the get_apikey command with a callback parameter.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Tautulli to version 2.17.0 or later, where this vulnerability has been patched.

If upgrading is not immediately possible, ensure that HTTP authentication is enabled on your Tautulli instance to prevent unauthenticated access to the API key.

Additionally, avoid using or exposing the vulnerable JSONP callback parameter until the patch is applied.

The patch involves strict validation of the JSONP callback parameter against an allowlist of valid JavaScript identifiers to prevent injection.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0