CVE-2026-32275
Cross-Origin Script Injection in Tautulli Enables API Key Theft
Publication date: 2026-03-30
Last updated on: 2026-04-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tautulli | tautulli | From 1.3.10 (inc) to 2.17.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32275 is a high-severity vulnerability in Tautulli, a Python-based monitoring tool for Plex Media Server, affecting versions from 1.3.10 up to before 2.17.0.
The vulnerability arises because the JSONP callback parameter in the Tautulli API is not sanitized. This means that an attacker can inject arbitrary JavaScript code through this parameter.
Specifically, certain API commands like 'get_apikey', 'docs', and 'docs_md' bypass authentication, allowing unauthenticated access. When combined with the unsanitized callback, this enables two main exploits: arbitrary JavaScript injection and cross-origin API key theft.
- Arbitrary JavaScript Injection: An attacker can craft a URL that returns JavaScript containing malicious code, which executes in the victim's browser if loaded as a script.
- Cross-Origin API Key Theft: On installations without HTTP password protection, an attacker can steal the API key by injecting a callback that exfiltrates the key to an attacker-controlled server.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including unauthorized access and control over the Tautulli API.
- Execution of arbitrary JavaScript in users' browsers, potentially leading to session hijacking, data theft, or other malicious actions.
- Theft of the API key on unauthenticated installs, granting attackers full administrative access to the Tautulli API.
- Potential compromise of the Plex Media Server monitoring environment, including unauthorized data access or manipulation.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending crafted HTTP requests to the Tautulli API endpoints that use the JSONP callback parameter and observing the response for unsanitized JavaScript injection.
For example, you can use the following curl command to test if the server returns a JavaScript response with an unsanitized callback payload:
- curl -si 'http://TAUTULLI:8181/api/v2?cmd=docs&callback=alert(1)//' | grep -E 'Content-Type|^alert'
If the response includes 'Content-Type: application/javascript' and the injected alert(1) script, the vulnerability is present.
Additionally, if your Tautulli instance is unauthenticated (no HTTP password configured), you can test for API key theft by requesting the get_apikey command with a callback parameter.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Tautulli to version 2.17.0 or later, where this vulnerability has been patched.
If upgrading is not immediately possible, ensure that HTTP authentication is enabled on your Tautulli instance to prevent unauthenticated access to the API key.
Additionally, avoid using or exposing the vulnerable JSONP callback parameter until the patch is applied.
The patch involves strict validation of the JSONP callback parameter against an allowlist of valid JavaScript identifiers to prevent injection.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.